[Snort-users] Updating Snort Rules...Made Easy..sort of

Dr SuSE drsuse at ...748...
Tue Oct 9 14:56:11 EDT 2001

Updating Snort rules the quick and dirty way.

The examples given in this document are for updating Snort rules in an 
environment where multiple Snort sensors are used.

I'm going to use my Snort directory structure as an example.  Your directory 
structure is probably different than mine but that's ok, you can still make 
this method work for you.

/etc/snort  (snort.conf, classifications.config)
/etc/snort/rules (all snort rules are here)
/etc/snort/scripts (all of my custom scripts are in here)
/etc/snort/tmp (If you cant figure this one out, your hosed)

The problem with automatically updating rules is that after time you've 
probably deleted or commented out some of the rules that either you don't need 
or those which trigger too many false positives.  You may have also written 
your own custom rules.

Ok, let's get to the meat....here's what I did.

I first wrote a simple script using wget and cron'd it to run daily at noon.  
This script simply downloads the snortrules.tar.gz rules from www.snort.org and 
places it into the snort directory under my htdocs directory.  I then added two 
files to ~/htdocs/snort  One is called pass.rules and the other is called 

For the rules you do not want, simply add them to the pass.rules file and 
change them from alert to pass.  Use the global.rules file for custom rules you 
want to distribute to all of your sensors.

Next, your going to want to edit your snort.conf file and make sure that the 
first rule file loaded is the pass.rules file.  Also to make this work, you 
have to remember to run snort with the -o option.  Dont forget to add an 
include statement for your new global.rules file.

Now all you have to do is use a scirpt which uses wget to pull the 
snortrules.tar.gz file from your internal web server, extract the rules to the 
a tmp directory, remove the local.rules and copy the rest to where you keep 
your snort rules files on your sensors.  Don't forget, you have to restart 
snort also.

Below are the scripts I'm using, nothing special.  But first, let me give you a 
few do's and dont's

DO NOT!!! configure all of your sensors to download the snortrules file from 
snort.org, this will cause unncessary traffic. Remember, all you need a web 
server inside your network to run the script on and if your running demarc, 
acid or snarf then you already have this.  DO NOT!!!!!

Do run snort using the -o option 

3. Do add rules you dont want to your pass.rules file on your centralized web 
server.  Make sure that pass.rules is the first rules file your calling in 

4. Do not run the script on the sensor and the script on the web server at the 
same time.  Run the script on your web server first then run the script on your 
sensors about 10 minutes later.

This is the script which runs on my web server and downloads the 
snortrules.tar.gz file from snort.org:

#! /bin/sh
cd /tmp
wget http://www.snort.org/downloads/snortrules.tar.gz
rm /usr/local/httpd/htdocs/security/snort/snortrules.tar.gz
mv /tmp/snortrules.tar.gz /usr/local/httpd/htdocs/security/snort/

This is the script which runs on my snort sensors and downloads the snort rules 
from my web server:

#! /bin/sh
cd /etc/snort/tmp
wget http://bb/security/snort/snortrules.tar.gz
wget http://bb/security/snort/pass.rules
wget http://bb/security/snort/global.rules
mv /etc/snort/tmp/global.rules /etc/snort/rules
mv /etc/snort/tmp/pass.rules /etc/snort/rules
tar -xvzf /etc/snort/tmp/snortrules.tar.gz
rm /etc/snort/tmp/snortrules.tar.gz
rm /etc/snort/tmp/rules/local.rules
mv /etc/snort/tmp/rules/*.rules /etc/snort/rules
rm -r /etc/snort/tmp/rules
/etc/rc.d/snort restart

"Flush twice....it's a long way to

Microsoft ist nicht installiert.

More information about the Snort-users mailing list