分享
 
 
 

Working with Snort Rules

王朝other·作者佚名  2006-04-26
窄屏简体版  字體: |||超大  

3.9 Automatically Updating Snort Rules

There are multiple tools available to update Snort signatures. When using any of these tools you must be careful because you may accidentally modify or delete your customized rules. I shall discuss two methods of updating rules.

3.9.1 The Simple Method

This method consists of a simple shell script. It requires that you have wget program installed on your system. The wget program is used to retrieve any file using HTTP protocol. In essence, it is just like a web browser, but it retrieves one file from a command line argument.

#!/bin/sh

# Place of storing your Snort rules. Change these variables

# according to your installation.

RULESDIR=/etc/snort

RULESDIRBAK=/etc/snort/bak

# Path to wget program. Modify for your system if needed.

WGETPATH=/usr/bin

# URI for Snort rules

RULESURI=http://www.snort.org/downloads/snortrules.tar.gz

# Get and untar rules.

cd /tmp

rm -rf rules

$WGETPATH/wget $RULESURI

tar -zxf snortrules.tar.gz

rm –f snortrules.tar.gz

# Make a backup copy of existing rules

mv $RULESDIR/*.rules $RULESDIRBAK

# Copy new rules to the location

mv /tmp/rules/*.rules $RULESDIR

Let us explore how this script works. The following lines simply set some variables.

RULESDIR=/etc/snort

RULESDIRBAK=/etc/snort/bak

WGETPATH=/usr/bin

RULESURI=http://www.snort.org/downloads/snortrules.tar.gz

The following three lines are used to go to /tmp directory, remove any existing directory /tmp/rules and download the snortrules.tar.gz file from the URI specified by the $RULESURI variable.

cd /tmp

rm -rf rules

$WGETPATH/wget $RULESURI

After downloading, you extract the rules files from snortrules.tar.gz file and then delete it using the following two lines. The files extracted are placed in /tmp/rules directory.

tar -zxf snortrules.tar.gz

rm -f snortrules.tar.gz

The following line makes a backup copy of existing rules files, just in case you need the old copy later on.

mv $RULESDIR/*.rules $RULESDIRBAK

The last line in the script moves new rules from /tmp/rules directory to the actual rules directory /etc/snort where Snort can read them.

mv /tmp/rules/*.rules $RULESDIR

Make sure to restart Snort after running this script. If you have a start script like the one described in Chapter 2, you can add a line at the end of the shell script to restart Snort.

/etc/init.d/snortd restart

You may also restart Snort using the command line.

3.9.2 The Sophisticated and Complex Method

This section provides information about the use of Oinkmaster found at http://www.algonet.se/~nitzer/oinkmaster/. Oinkmaster is a tool to update Snort rule files. It is written in Perl, so you must have Perl installed on your Snort machine to make this tool work. It can be configured to download new rule files from the Internet, find out what rules need to be updated and then updates them. If you have modified some standard rules according to your own requirements, you can configure Oinkmaster not to update these customized rules. At the time of writing this book, version 0.6 of this tool is available. By now updated versions may be available. Oinkmaster is a Perl script and uses a configuration file to update the rules.

It is recommended that you use a temporary directory the first time you use this Perl script. I have used /tmp/rules directory. When you use the following command, it will download all rules, untar them and save all files in /tmp/rules directory.

[rr@conformix]$ ./oinkmaster.pl -o /tmp/rules/

Downloading rules archive from http://www.snort.org/dl/signatures/snortrules.tar.gz...

12:27:09 URL:http://www.snort.org/dl/signatures/snortrules.tar.gz [79487/79487] -> "/tmp/

oinkmaster.9875/snortrules.tar.gz" [1]

Archive successfully downloaded, unpacking... tar: rules/attack-responses.rules: time

stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/classification.config: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/sid-msg.map: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/x11.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/web-misc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/web-iis.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/web-frontpage.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/web-coldfusion.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/web-cgi.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/web-attacks.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/virus.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/tftp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/telnet.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/sql.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/smtp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/shellcode.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/scan.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/rservices.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/rpc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/porn.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/policy.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/netbios.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/misc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/local.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/info.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/icmp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/icmp-info.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/ftp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/finger.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/exploit.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/dos.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/dns.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/ddos.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/bad-traffic.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/backdoor.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules/snort.conf: time stamp 2002-07-14 13:10:24 is 348194 s in the future

tar: rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future

done.

Disabling rules according to ./oinkmaster.conf... 0 rules disabled.

Comparing new files to the old ones... done.

[***] Results from Oinkmaster started Wed Jul 10 12:25:37 2002 [***]

[*] Rules added/removed/modified: [*]

[+++] Added: [+++]

-> File "tftp.rules":

alert udp any any -> any 69 (msg:"TFTP GET shadow"; content: "|0001|"; offset:0;

depth:2; content:"shadow"; nocase; classtype:successful-admin; sid:1442; rev:1;)

alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|"; offset:0;

depth:2; content:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:

".."; reference:arachnids,137; reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:

519; rev:1;)

[///] Modified active: [///]

-> File "tftp.rules":

Old: alert udp $EXTERNAL_NET any -> $HOME_NET 64 (msg:"TFTP Put"; content:"|00

02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:

bad-unknown; sid:518; rev:3;)

New: alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00

02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:

bad-unknown; sid:518; rev:3;)

[*] Non-rule lines added/removed: [*]

None.

[*] Added files: [*]

None.

The tool gives you a detailed report of actions taken during the update process. You can test this by deleting and modifying some rules and running the tool again. The following is a partial output seen when Oinkmaster adds and updates some rules.

Comparing new files to the old ones... done.

[***] Results from Oinkmaster started Wed Jul 10 12:25:37 2002 [***]

[*] Rules added/removed/modified: [*]

[+++] Added: [+++]

-> File "tftp.rules":

alert udp any any -> any 69 (msg:"TFTP GET shadow"; content: "|0001|"; offset:0;

depth:2; content:"shadow"; nocase; classtype:successful-admin; sid:1442; rev:1;)

alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|"; offset:0;

depth:2; content:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:

".."; reference:arachnids,137; reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:

519; rev:1;)

[///] Modified active: [///]

-> File "tftp.rules":

Old: alert udp $EXTERNAL_NET any -> $HOME_NET 64 (msg:"TFTP Put"; content:"|00

02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:

bad-unknown; sid:518; rev:3;)

New: alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00

02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:

bad-unknown; sid:518; rev:3;)

[*] Non-rule lines added/removed: [*]

None.

[*] Added files: [*]

None.

The script uses a configuration file where many options can be configured. Specifically you can configure the following in the configuration file oinkmaster.conf:

URL of the location from where it downloads the Snort rules. By default this URL is http://www.snort.org/downloads/signatures/snortrules.tar.gz or http://www.snort.org/downloads/snortrules.tar.gz. This is configured using the url keyword in the configuration file.

Files to be updated. By default files ending with .rules, .config, .conf, .txt and .map are updated and all other files are ignored. This is done using the update_files keyword.

Files to be skipped when updating rules. This is done using the skipfile keyword. You can use as many skipfiles lines as you like. This option is useful when you have customized rules in some files. When you skip these files, your customized rules will not be overwritten during the update process.

You can disable certain rules permanently using the disablesid keyword in the configuration file. The tool will not update these rules during the update.

Please use the README and INSTALL files that come with the tool. You can use this tool from a cron script to periodically update your rule set.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有