3.9 Automatically Updating Snort Rules
There are multiple tools available to update Snort signatures. When using any of these tools you must be careful because you may accidentally modify or delete your customized rules. I shall discuss two methods of updating rules.
3.9.1 The Simple Method
This method consists of a simple shell script. It requires that you have wget program installed on your system. The wget program is used to retrieve any file using HTTP protocol. In essence, it is just like a web browser, but it retrieves one file from a command line argument.
#!/bin/sh
# Place of storing your Snort rules. Change these variables
# according to your installation.
RULESDIR=/etc/snort
RULESDIRBAK=/etc/snort/bak
# Path to wget program. Modify for your system if needed.
WGETPATH=/usr/bin
# URI for Snort rules
RULESURI=http://www.snort.org/downloads/snortrules.tar.gz
# Get and untar rules.
cd /tmp
rm -rf rules
$WGETPATH/wget $RULESURI
tar -zxf snortrules.tar.gz
rm –f snortrules.tar.gz
# Make a backup copy of existing rules
mv $RULESDIR/*.rules $RULESDIRBAK
# Copy new rules to the location
mv /tmp/rules/*.rules $RULESDIR
Let us explore how this script works. The following lines simply set some variables.
RULESDIR=/etc/snort
RULESDIRBAK=/etc/snort/bak
WGETPATH=/usr/bin
RULESURI=http://www.snort.org/downloads/snortrules.tar.gz
The following three lines are used to go to /tmp directory, remove any existing directory /tmp/rules and download the snortrules.tar.gz file from the URI specified by the $RULESURI variable.
cd /tmp
rm -rf rules
$WGETPATH/wget $RULESURI
After downloading, you extract the rules files from snortrules.tar.gz file and then delete it using the following two lines. The files extracted are placed in /tmp/rules directory.
tar -zxf snortrules.tar.gz
rm -f snortrules.tar.gz
The following line makes a backup copy of existing rules files, just in case you need the old copy later on.
mv $RULESDIR/*.rules $RULESDIRBAK
The last line in the script moves new rules from /tmp/rules directory to the actual rules directory /etc/snort where Snort can read them.
mv /tmp/rules/*.rules $RULESDIR
Make sure to restart Snort after running this script. If you have a start script like the one described in Chapter 2, you can add a line at the end of the shell script to restart Snort.
/etc/init.d/snortd restart
You may also restart Snort using the command line.
3.9.2 The Sophisticated and Complex Method
This section provides information about the use of Oinkmaster found at http://www.algonet.se/~nitzer/oinkmaster/. Oinkmaster is a tool to update Snort rule files. It is written in Perl, so you must have Perl installed on your Snort machine to make this tool work. It can be configured to download new rule files from the Internet, find out what rules need to be updated and then updates them. If you have modified some standard rules according to your own requirements, you can configure Oinkmaster not to update these customized rules. At the time of writing this book, version 0.6 of this tool is available. By now updated versions may be available. Oinkmaster is a Perl script and uses a configuration file to update the rules.
It is recommended that you use a temporary directory the first time you use this Perl script. I have used /tmp/rules directory. When you use the following command, it will download all rules, untar them and save all files in /tmp/rules directory.
[rr@conformix]$ ./oinkmaster.pl -o /tmp/rules/
Downloading rules archive from http://www.snort.org/dl/signatures/snortrules.tar.gz...
12:27:09 URL:http://www.snort.org/dl/signatures/snortrules.tar.gz [79487/79487] -> "/tmp/
oinkmaster.9875/snortrules.tar.gz" [1]
Archive successfully downloaded, unpacking... tar: rules/attack-responses.rules: time
stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/classification.config: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/sid-msg.map: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/x11.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/web-misc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/web-iis.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/web-frontpage.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/web-coldfusion.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/web-cgi.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/web-attacks.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/virus.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/tftp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/telnet.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/sql.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/smtp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/shellcode.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/scan.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/rservices.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/rpc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/porn.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/policy.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/netbios.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/misc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/local.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/info.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/icmp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/icmp-info.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/ftp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/finger.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/exploit.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/dos.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/dns.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/ddos.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/bad-traffic.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/backdoor.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules/snort.conf: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
done.
Disabling rules according to ./oinkmaster.conf... 0 rules disabled.
Comparing new files to the old ones... done.
[***] Results from Oinkmaster started Wed Jul 10 12:25:37 2002 [***]
[*] Rules added/removed/modified: [*]
[+++] Added: [+++]
-> File "tftp.rules":
alert udp any any -> any 69 (msg:"TFTP GET shadow"; content: "|0001|"; offset:0;
depth:2; content:"shadow"; nocase; classtype:successful-admin; sid:1442; rev:1;)
alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|"; offset:0;
depth:2; content:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:
".."; reference:arachnids,137; reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:
519; rev:1;)
[///] Modified active: [///]
-> File "tftp.rules":
Old: alert udp $EXTERNAL_NET any -> $HOME_NET 64 (msg:"TFTP Put"; content:"|00
02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:
bad-unknown; sid:518; rev:3;)
New: alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00
02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:
bad-unknown; sid:518; rev:3;)
[*] Non-rule lines added/removed: [*]
None.
[*] Added files: [*]
None.
The tool gives you a detailed report of actions taken during the update process. You can test this by deleting and modifying some rules and running the tool again. The following is a partial output seen when Oinkmaster adds and updates some rules.
Comparing new files to the old ones... done.
[***] Results from Oinkmaster started Wed Jul 10 12:25:37 2002 [***]
[*] Rules added/removed/modified: [*]
[+++] Added: [+++]
-> File "tftp.rules":
alert udp any any -> any 69 (msg:"TFTP GET shadow"; content: "|0001|"; offset:0;
depth:2; content:"shadow"; nocase; classtype:successful-admin; sid:1442; rev:1;)alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|"; offset:0;
depth:2; content:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:
".."; reference:arachnids,137; reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:
519; rev:1;)
[///] Modified active: [///]
-> File "tftp.rules":
Old: alert udp $EXTERNAL_NET any -> $HOME_NET 64 (msg:"TFTP Put"; content:"|00
02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:
bad-unknown; sid:518; rev:3;)
New: alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00
02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:
bad-unknown; sid:518; rev:3;)
[*] Non-rule lines added/removed: [*]
None.
[*] Added files: [*]
None.
The script uses a configuration file where many options can be configured. Specifically you can configure the following in the configuration file oinkmaster.conf:
URL of the location from where it downloads the Snort rules. By default this URL is http://www.snort.org/downloads/signatures/snortrules.tar.gz or http://www.snort.org/downloads/snortrules.tar.gz. This is configured using the url keyword in the configuration file.
Files to be updated. By default files ending with .rules, .config, .conf, .txt and .map are updated and all other files are ignored. This is done using the update_files keyword.
Files to be skipped when updating rules. This is done using the skipfile keyword. You can use as many skipfiles lines as you like. This option is useful when you have customized rules in some files. When you skip these files, your customized rules will not be overwritten during the update process.
You can disable certain rules permanently using the disablesid keyword in the configuration file. The tool will not update these rules during the update.
Please use the README and INSTALL files that come with the tool. You can use this tool from a cron script to periodically update your rule set.