Include Files The Snort Configuration File
3.9 Automatically Updating Snort Rules
There are multiple tools available to update Snort signatures. When using any of these tools you must be careful because you may accidentally modify or delete your custom- ized rules. I shall discuss two methods of updating rules.3.9.1 The Simple Method
This method consists of a simple shell script. It requires that you have wget pro- gram installed on your system. The wget program is used to retrieve any file using HTTP protocol. In essence, it is just like a web browser, but it retrieves one file from a command line argument. binsh Place of storing your Snort rules. Change these variables according to your installation. RULESDIR=etcsnort RULESDIRBAK=etcsnortbak Path to wget program. Modify for your system if needed. WGETPATH=usrbin URI for Snort rules RULESURI=http:www.snort.orgdownloadssnortrules.tar.gz Get and untar rules. cd tmp rm -rf rules WGETPATHwget RULESURI Automatically Updating Snort Rules 121 tar -zxf snortrules.tar.gz rm –f snortrules.tar.gz Make a backup copy of existing rules mv RULESDIR.rules RULESDIRBAK Copy new rules to the location mv tmprules.rules RULESDIR Let us explore how this script works. The following lines simply set some vari- ables. RULESDIR=etcsnort RULESDIRBAK=etcsnortbak WGETPATH=usrbin RULESURI=http:www.snort.orgdownloadssnortrules.tar.gz The following three lines are used to go to tmp directory, remove any existing directory tmprules and download the snortrules.tar.gz file from the URI specified by the RULESURI variable. cd tmp rm -rf rules WGETPATHwget RULESURI After downloading, you extract the rules files from snortrules.tar.gz file and then delete it using the following two lines. The files extracted are placed in tmprules directory. tar -zxf snortrules.tar.gz rm -f snortrules.tar.gz The following line makes a backup copy of existing rules files, just in case you need the old copy later on. mv RULESDIR.rules RULESDIRBAK The last line in the script moves new rules from tmprules directory to the actual rules directory etcsnort where Snort can read them. mv tmprules.rules RULESDIR Make sure to restart Snort after running this script. If you have a start script like the one described in Chapter 2, you can add a line at the end of the shell script to restart Snort. etcinit.dsnortd restart You may also restart Snort using the command line.Parts
» Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Logs False Alarms Some Definitions
» Where IDS Should be Placed in Network Topology
» Honey Pots What is Intrusion Detection?
» Security Zones and Levels of Trust
» IDS Policy Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Packet Decoder Preprocessors Components of Snort
» The Detection Engine Components of Snort
» Dealing with Switches Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» TCP Stream Follow Up Supported Platforms
» Snort on Stealth Interface Snort with no IP Address Interface
» References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Test Installation Snort Installation Scenarios
» Single Sensor Production IDS
» Multiple Snort Sensors with Centralized Database
» Download Install Installing Snort from the RPM Package
» Unpacking Installing Snort from Source Code
» Running the configure script. Running the
» Running the make install command.
» Create or copy the Snort configuration file in
» Create a directory After Installation Processes
» Generating Test Alerts Testing Snort
» Generating Test Alerts with Automatic Snort Startup
» Errors While Starting Snort Running Snort on a Non-Default Interface
» Automatic Startup and Shutdown
» Running Snort on Multiple Network Interfaces
» Logging Snort Data in Text Format
» Logging Snort in Binary Format
» Network Intrusion Detection Mode
» UNIX Socket Mode Snort Alert Modes
» Running Snort in Stealth Mode
» TCPIP Network Layers Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» CIDR Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» User Defined Actions Rule Actions
» Well-Known Port Numbers Port Number
» The ack Keyword The classtype Keyword
» The content Keyword Rule Options
» The offset Keyword Rule Options
» The depth Keyword The content-list Keyword
» The dsize Keyword Rule Options
» The flags Keyword Rule Options
» The fragbits Keyword Rule Options
» The itype Keyword Rule Options
» The icode Keyword Rule Options
» The id Keyword The ipopts Keyword
» The logto Keyword Rule Options
» The reference Keyword Rule Options
» The resp Keyword Rule Options
» The rev Keyword The rpc Keyword
» The session Keyword Rule Options
» The sid Keyword Rule Options
» The tag Keyword Rule Options
» The tos Keyword Rule Options
» The ttl Keyword Rule Options
» The uricontent Keyword Rule Options
» Using a List of Networks in Variables Using Interface Names in Variables
» The config Directives The Snort Configuration File
» Preprocessor Configuration Output Module Configuration
» Include Files The Snort Configuration File
» Order of Rules Based upon Action
» The Simple Method Automatically Updating Snort Rules
» The Sophisticated and Complex Method
» Writing Good Rules Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» The frag2 Module Preprocessors
» The stream4 Module Preprocessors
» The spade Module Preprocessors
» The alert_syslog Output Module
» The alert_smb Module The log_tcpdump Output Module
» Examples The XML Output Module
» Logging to Databases Output Modules
» CSV Output Module Output Modules
» Unified Logging Output Module SNMP Traps Output Module
» Using BPF Fileters Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Creating Extra Tables Step 5: Creating Tables in the Snort Database
» Secure Logging to Remote Databases Securely Using Stunnel
» Archiving the Database Snort Database Maintenance
» Using Sledge Hammer: Drop the Database
» What is ACID? Installation and Configuration
» Listing Protocol Data Alert Details Searching
» Generating Graphs Archiving Snort Data
» SnortSnarf Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Barnyard References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» SnortSam Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» IDS Policy Manager Prentice.Hall – Intrusion.Detection.Systems.with.Snort
Show more