Automatically Updating Snort Rules 121 tar -zxf snortrules.tar.gz rm –f snortrules.tar.gz Make a backup copy of existing rules mv RULESDIR.rules RULESDIRBAK Copy new rules to the location mv tmprules.rules RULESDIR Let us explore how this script works. The following lines simply set some vari- ables. RULESDIR=etcsnort RULESDIRBAK=etcsnortbak WGETPATH=usrbin RULESURI=http:www.snort.orgdownloadssnortrules.tar.gz The following three lines are used to go to tmp directory, remove any existing directory tmprules and download the snortrules.tar.gz file from the URI specified by the RULESURI variable. cd tmp rm -rf rules WGETPATHwget RULESURI After downloading, you extract the rules files from snortrules.tar.gz file and then delete it using the following two lines. The files extracted are placed in tmprules directory. tar -zxf snortrules.tar.gz rm -f snortrules.tar.gz The following line makes a backup copy of existing rules files, just in case you need the old copy later on. mv RULESDIR.rules RULESDIRBAK The last line in the script moves new rules from tmprules directory to the actual rules directory etcsnort where Snort can read them. mv tmprules.rules RULESDIR Make sure to restart Snort after running this script. If you have a start script like the one described in Chapter 2, you can add a line at the end of the shell script to restart Snort. etcinit.dsnortd restart You may also restart Snort using the command line. 122 Chapter 3 • Working with Snort Rules

3.9.2 The Sophisticated and Complex Method

This section provides information about the use of Oinkmaster found at http: www.algonet.se~nitzeroinkmaster. Oinkmaster is a tool to update Snort rule files. It is written in Perl, so you must have Perl installed on your Snort machine to make this tool work. It can be configured to download new rule files from the Internet, find out what rules need to be updated and then updates them. If you have modified some standard rules according to your own requirements, you can configure Oinkmaster not to update these customized rules. At the time of writing this book, version 0.6 of this tool is avail- able. By now updated versions may be available. Oinkmaster is a Perl script and uses a configuration file to update the rules. It is recommended that you use a temporary directory the first time you use this Perl script. I have used tmprules directory. When you use the following command, it will download all rules, untar them and save all files in tmprules directory. [rrconformix] .oinkmaster.pl -o tmprules Downloading rules archive from http:www.snort.orgdlsignatures snortrules.tar.gz... 12:27:09 URL:http:www.snort.orgdlsignaturessnortrules.tar.gz [7948779487] - tmpoinkmaster.9875snortrules.tar.gz [1] Archive successfully downloaded, unpacking... tar: rulesattack-responses.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesclassification.config: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulessid-msg.map: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesx11.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesweb-misc.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesweb-iis.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesweb-frontpage.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesweb-coldfusion.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesweb-cgi.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesweb-attacks.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesvirus.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulestftp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulestelnet.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulessql.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulessmtp.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesshellcode.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future tar: rulesscan.rules: time stamp 2002-07-14 13:10:24 is 348194 s in the future