[Snort-users] Updating Snort Rules...Made Easy..sort of
drsuse at ...748...
Tue Oct 9 14:56:11 EDT 2001
Updating Snort rules the quick and dirty way.
The examples given in this document are for updating Snort rules in an
environment where multiple Snort sensors are used.
I'm going to use my Snort directory structure as an example. Your directory
structure is probably different than mine but that's ok, you can still make
this method work for you.
/etc/snort (snort.conf, classifications.config)
/etc/snort/rules (all snort rules are here)
/etc/snort/scripts (all of my custom scripts are in here)
/etc/snort/tmp (If you cant figure this one out, your hosed)
The problem with automatically updating rules is that after time you've
probably deleted or commented out some of the rules that either you don't need
or those which trigger too many false positives. You may have also written
your own custom rules.
Ok, let's get to the meat....here's what I did.
I first wrote a simple script using wget and cron'd it to run daily at noon.
This script simply downloads the snortrules.tar.gz rules from www.snort.org and
places it into the snort directory under my htdocs directory. I then added two
files to ~/htdocs/snort One is called pass.rules and the other is called
For the rules you do not want, simply add them to the pass.rules file and
change them from alert to pass. Use the global.rules file for custom rules you
want to distribute to all of your sensors.
Next, your going to want to edit your snort.conf file and make sure that the
first rule file loaded is the pass.rules file. Also to make this work, you
have to remember to run snort with the -o option. Dont forget to add an
include statement for your new global.rules file.
Now all you have to do is use a scirpt which uses wget to pull the
snortrules.tar.gz file from your internal web server, extract the rules to the
a tmp directory, remove the local.rules and copy the rest to where you keep
your snort rules files on your sensors. Don't forget, you have to restart
Below are the scripts I'm using, nothing special. But first, let me give you a
few do's and dont's
DO NOT!!! configure all of your sensors to download the snortrules file from
snort.org, this will cause unncessary traffic. Remember, all you need a web
server inside your network to run the script on and if your running demarc,
acid or snarf then you already have this. DO NOT!!!!!
Do run snort using the -o option
3. Do add rules you dont want to your pass.rules file on your centralized web
server. Make sure that pass.rules is the first rules file your calling in
4. Do not run the script on the sensor and the script on the web server at the
same time. Run the script on your web server first then run the script on your
sensors about 10 minutes later.
This is the script which runs on my web server and downloads the
snortrules.tar.gz file from snort.org:
mv /tmp/snortrules.tar.gz /usr/local/httpd/htdocs/security/snort/
This is the script which runs on my snort sensors and downloads the snort rules
from my web server:
mv /etc/snort/tmp/global.rules /etc/snort/rules
mv /etc/snort/tmp/pass.rules /etc/snort/rules
tar -xvzf /etc/snort/tmp/snortrules.tar.gz
mv /etc/snort/tmp/rules/*.rules /etc/snort/rules
rm -r /etc/snort/tmp/rules
"Flush twice....it's a long way to
Microsoft ist nicht installiert.
More information about the Snort-users