The Simple Method Automatically Updating Snort Rules
Automatically Updating Snort Rules 123
tar: rulesrservices.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesrpc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesporn.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulespolicy.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesnetbios.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesmisc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: ruleslocal.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesinfo.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesicmp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesicmp-info.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the
future tar: rulesftp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesfinger.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesexploit.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesdos.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesdns.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rulesddos.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesbad-traffic.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the
future tar: rulesbackdoor.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the
future tar: rulessnort.conf: time stamp 2002-07-14 13:10:24 is 348194 s in the future
tar: rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future done.
Disabling rules according to .oinkmaster.conf... 0 rules disabled. Comparing new files to the old ones... done.
[] Results from Oinkmaster started Wed Jul 10 12:25:37 2002 [] [] Rules addedremovedmodified: []
[+++] Added: [+++] - File tftp.rules:
alert udp any any - any 69 msg:TFTP GET shadow; content: |0001|;
offset:0; depth:2; content:shadow; nocase; classtype:successful-admin; sid:1442; rev:1;
alert udp any any - any 69 msg:TFTP GET passwd; content: |0001|; offset:0; depth:2; content:passwd; nocase; classtype:successful-admin;
sid:1443; rev:1; alert udp EXTERNAL_NET any - HOME_NET 69 msg:TFTP parent directory;
content:..; reference:arachnids,137; reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:519; rev:1;
[] Modified active: [] - File tftp.rules:
124 Chapter 3 • Working with Snort Rules
Old: alert udp EXTERNAL_NET any - HOME_NET 64 msg:TFTP Put; content:|00 02|; offset:0; depth:2; reference:cve,CVE-1999-0183;
reference:arachnids,148; classtype:bad-unknown; sid:518; rev:3; New: alert udp EXTERNAL_NET any - HOME_NET 69 msg:TFTP Put;
content:|00 02|; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:bad-unknown; sid:518; rev:3;
[] Non-rule lines addedremoved: [] None.
[] Added files: [] None.
The tool gives you a detailed report of actions taken during the update process. You can test this by deleting and modifying some rules and running the tool again. The
following is a partial output seen when Oinkmaster adds and updates some rules.
Comparing new files to the old ones... done. [] Results from Oinkmaster started Wed Jul 10 12:25:37 2002 []
[] Rules addedremovedmodified: [] [+++] Added: [+++]
- File tftp.rules: alert udp any any - any 69 msg:TFTP GET shadow; content: |0001|;
offset:0; depth:2; content:shadow; nocase; classtype:successful-admin; sid:1442; rev:1;
alert udp any any - any 69 msg:TFTP GET passwd; content: |0001|; offset:0; depth:2; content:passwd; nocase; classtype:successful-admin;
sid:1443; rev:1; alert udp EXTERNAL_NET any - HOME_NET 69 msg:TFTP parent directory;
content:..; reference:arachnids,137; reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:519; rev:1;
[] Modified active: [] - File tftp.rules:
Old: alert udp EXTERNAL_NET any - HOME_NET 64 msg:TFTP Put; content:|00 02|; offset:0; depth:2; reference:cve,CVE-1999-0183;
reference:arachnids,148; classtype:bad-unknown; sid:518; rev:3; New: alert udp EXTERNAL_NET any - HOME_NET 69 msg:TFTP Put;
content:|00 02|; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:bad-unknown; sid:518; rev:3;
[] Non-rule lines addedremoved: [] None.
[] Added files: [] None.
Default Snort Rules and Classes 125
The script uses a configuration file where many options can be configured. Specif- ically you can configure the following in the configuration file
oinkmaster.conf: • URL of the location from where it downloads the Snort rules. By default this
URL is http:www.snort.orgdownloadssignaturessnortrules.tar.gz or http: www.snort.orgdownloadssnortrules.tar.gz. This is configured using the url
keyword in the configuration file.
• Files to be updated. By default files ending with .rules, .config, .conf,
.txt and .map are updated and all other files are ignored. This is done using the
update_files keyword. • Files to be skipped when updating rules. This is done using the skipfile
keyword. You can use as many skipfiles lines as you like. This option is useful when you have customized rules in some files. When you skip these files, your
customized rules will not be overwritten during the update process.
• You can disable certain rules permanently using the disablesid keyword in the configuration file. The tool will not update these rules during the update.
Please use the README and INSTALL files that come with the tool. You can use this tool from a cron script to periodically update your rule set.