120 Chapter 3 • Working with Snort Rules You must be careful when choosing this order because just one badly written pass rule may allow many alert packets to pass through without being checked. If you really know what you are doing, you can use the –o command line switch to disable the default order and enable the new order of applying rules. You can also use “config order” in the configuration file for this purpose. Again, this is dangerous and you have been warned twice now If you are sure of what you are doing, add this line in the snort.conf file: config order If you define your own rule types, they are checked last in the sequence. For exam- ple, if you have defined a rule type snmp_alerts, the order of rule application will be: Alert - Pass - Log -snmp_alerts

3.9 Automatically Updating Snort Rules

There are multiple tools available to update Snort signatures. When using any of these tools you must be careful because you may accidentally modify or delete your custom- ized rules. I shall discuss two methods of updating rules.

3.9.1 The Simple Method

This method consists of a simple shell script. It requires that you have wget pro- gram installed on your system. The wget program is used to retrieve any file using HTTP protocol. In essence, it is just like a web browser, but it retrieves one file from a command line argument. binsh Place of storing your Snort rules. Change these variables according to your installation. RULESDIR=etcsnort RULESDIRBAK=etcsnortbak Path to wget program. Modify for your system if needed. WGETPATH=usrbin URI for Snort rules RULESURI=http:www.snort.orgdownloadssnortrules.tar.gz Get and untar rules. cd tmp rm -rf rules WGETPATHwget RULESURI Automatically Updating Snort Rules 121 tar -zxf snortrules.tar.gz rm –f snortrules.tar.gz Make a backup copy of existing rules mv RULESDIR.rules RULESDIRBAK Copy new rules to the location mv tmprules.rules RULESDIR Let us explore how this script works. The following lines simply set some vari- ables. RULESDIR=etcsnort RULESDIRBAK=etcsnortbak WGETPATH=usrbin RULESURI=http:www.snort.orgdownloadssnortrules.tar.gz The following three lines are used to go to tmp directory, remove any existing directory tmprules and download the snortrules.tar.gz file from the URI specified by the RULESURI variable. cd tmp rm -rf rules WGETPATHwget RULESURI After downloading, you extract the rules files from snortrules.tar.gz file and then delete it using the following two lines. The files extracted are placed in tmprules directory. tar -zxf snortrules.tar.gz rm -f snortrules.tar.gz The following line makes a backup copy of existing rules files, just in case you need the old copy later on. mv RULESDIR.rules RULESDIRBAK The last line in the script moves new rules from tmprules directory to the actual rules directory etcsnort where Snort can read them. mv tmprules.rules RULESDIR Make sure to restart Snort after running this script. If you have a start script like the one described in Chapter 2, you can add a line at the end of the shell script to restart Snort. etcinit.dsnortd restart You may also restart Snort using the command line.