[Snort-users] Updating rules...

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Dec 10 08:00:02 EST 2002


In order to reduce my network traffic I'll send it to the
mailinglist. There seem to be more people outthere interessted in
this. Please forgive me my bad scripting habbits... ;)

Regards,

Edin_

PS: Please people read the script carefully before using it. Some
things may be done better - I admit that ;). I'ts up to you to do so.
Have fun and do not blame me if something went wrong. My advice is not
to let crond run it for you.

Set all parameter to fit to your system. I was running it on Red Hat
7.3. You'll need wget too. Set up an user and group snort first.



#!/bin/sh

###############################################################################
#
# Das Skript zum Herunterladen und installieren neuer IDS-Signaturen.
#
###############################################################################

MAILTO="admin at ...7717..."
MACHINE="machine1"

#set -x
SIGS_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz"
MD5_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz.md5"

WGET="/usr/bin/wget"
#WGET_PARAMS="-N"
WGET_PARAMS="-t 3 -T 5 -N -a /etc/snort/snort.log -P /etc/snort"

# Wget parameters:
#
# -t            : Retries (here 3)
# -N            : Get the file only if newer
# -a            : Append the log messages to the specified file
# -P            : Save the file to the specified directory
# -T            : Timeout

ECHO="/bin/echo"
TAR="/bin/tar"
KILL="/bin/kill"
PIDOF="/sbin/pidof"

SNORT="/usr/local/bin/snort"
SNORTUSER="snort"
SNORTGROUP="snort"
KILLSIG="SIGUSR1"
SERVICE="/sbin/service"

# Where is the Snort configuration dir:
RULESPATH="/etc/snort/snortrules"
SNORTCFGPATH="/etc/snort"

MD5SUM="/usr/bin/md5sum"
MD5SUM_PARAMS=""

# The list of sensor interfacec divided by blanks
IFACES="eth0"

###############################################################################
#                            F U N C T I O N S 
         #
###############################################################################


###############################################################################
#   Die Funktion, die Snort fuer alle def. Interfaces auf dem System 
startet  #
# 
         #
# Um sie zu erweitern muss man zwei Dinge tun: 
         #
# 1. Die Parameterliste von Interfaces erweitern 
         #
# 2. Das Konfigurationsfile unter /etc/snort/snort.conf_ethX anlegen 
         #
# 
         #
###############################################################################

restartsnort() {
# Restarting Snort for all interfaces
for i in $IFACES; do
         "$ECHO" "Setting up Snort for interface "$i""
         $ECHO "Restarting Snort..."
         #/usr/bin/killall snort
         if [ -f /var/run/snort_"$i".pid ]
         then
                 PID=$("$PIDOF" "$SNORT")
                 if [ -z "$PID" ]
                 then
                         "$SERVICE" snort restart
                 else
                         #`cat /var/run/snort_"$i".pid`
                         "$ECHO" "Restarting Snort running with PID 
"$PID" and reloading the rules..."
                         "$KILL" -s "$KILLSIG" "$PID"
                 fi
         else
                 "$ECHO" "No PID file for interface "$i" found under 
/var/run"
         fi
         "$ECHO" "Starting Snort"
         "$SNORT" -a -b -c "$SNORTCFGPATH""/snort.conf_""$i" -I -D -v 
-i $i -u "$SNORTUSER" -g "$SNORTGROUP"
         PID=`cat /var/run/snort_"$i".pid`
         "$ECHO" "Snort running now with PID "$PID""
done
}

###############################################################################
#   Die Funktion zum ueberpruefen, ob und wie Snort auf dem System 
laeuft     #
###############################################################################

checksnort() {
SNORTS=$("$PIDOF" "$SNORT" | wc -w | awk '{print $1}')
SNORT_PIDS=$(/usr/bin/find /var/run -name snort\_eth[0-9]\.pid -ls | 
wc -l | awk '{print $1}')
"$ECHO" "Snort instances counted:  $SNORTS"
"$ECHO" "Snort PID files found:    $SNORT_PIDS"

# 1. Fall: Snort laeuft nicht oder PID-File nicht da:
if [ "$SNORTS" = "0" -o "$SNORT_PIDS" = "0" ]
then
         "$ECHO" "Snort seems to be down or no PID file there..."
         "$ECHO" "Restarting Snort for all Interfaces..."
         "$SERVICE" snort restart
fi

# 2. Fall: Anzahl der Instanzen ungleich der Anzahl der PID-Files
if [ "$SNORTS" -gt "$SNORT_PIDS" ]
then
         "$ECHO" "More Snort instances than found PID files..."
         "$ECHO" "Something is wrong outthere..."
         "$ECHO" "Stopping all Snort processes..."
#       /usr/bin/killall -9 snort
         "$SERVICE" snort stop
         "$ECHO" "Hold on... Restarting Snort now..."
         "$SERVICE" snort restart
fi

# 3. Fall: Anzahl der Instanzen stimmt mit der Anzahl der PID-files 
ueberein

}

###############################################################################
###############################################################################

getrules() {

# Get the rules, since we know that they are newer...
$WGET $WGET_PARAMS $SIGS_URL1
$WGET $WGET_PARAMS $MD5_URL1


"$ECHO" "Readout the checksum..."
# MD5-Summe auslesen
if [ -f /etc/snort/snortrules-stable.tar.gz.md5 ]
then
         MD5SUM1=`grep MD5 \
                     /etc/snort/snortrules-stable.tar.gz.md5|awk 
'{print $4}'`
else
         "$ECHO" "Error! No MD5-file found"
         exit 1
fi

"$ECHO" "Generating our own checksum..."
# MD5-Summe bilden
if [ -f /etc/snort/snortrules-stable.tar.gz ]
then
         MD5SUM2=`md5sum /etc/snort/snortrules-stable.tar.gz|awk 
'{print $1}'`
else
         "$ECHO" "Error! No rules file found"
         exit 1
fi

if [ "$MD5SUM1" = "$MD5SUM2" ]
then
         "$ECHO" "The MD5-Checksum fits!"
         "$ECHO" "$MD5SUM1"
         "$ECHO" "$MD5SUM2"
         "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log
         "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log
         "$ECHO" "Proceeding..."
#       /bin/sleep 1
else
         "$ECHO" "Error! Wrong checksum! Aborting!"
         "$ECHO" "Install rules manually!"
         "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log
         "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log
         exit 1
fi

# Extract the new rules
if [ -f "/etc/snort/snortrules-stable.tar.gz" ]
then
         "$ECHO" "Extracting Snort rules..."
         "$TAR" -xzvf /etc/snort/snortrules-stable.tar.gz -C /etc/snort
else
         "$ECHO" "Lost the file! Something is wrong!"
         "$ECHO" "Aborting!!"
         exit 1
fi

# Deleting old rules
# Existiert das Verzeichnis ueberhaupt?
if [ -d "$RULESPATH" ]
then
#       /bin/rm "$RULESPATH"/*.rules
         /bin/mv -f /etc/snort/rules/*.rules "$RULESPATH"
         /bin/cp -f /etc/snort/rules/classification.config "$SNORTCFGPATH"
else
         "$ECHO" "Missing rules-directory!"
         "$ECHO" "Aborting!"
         exit 1
fi

# Cleaning up...
/bin/rm -rf /etc/snort/rules
# Give everything to root
/bin/chown root:root ${RULESPATH}/*
}

###############################################################################
#                                M A I N 
         #
###############################################################################

# Error handling first

FCHK=$(/usr/bin/wget --spider -N -t 3 -T 5 "$SIGS_URL1" -P /etc/snort 
2>&1)

ERR_MSG=$("$ECHO" "$FCHK" | egrep -oi "failed error")

# Log the error message explicitly
"$ECHO" "$FCHK" >> /etc/snort/snort.log

# If there is a word "failed" or "error" we break..
if [ "$("$ECHO" "$FCHK"| grep -i "failed")" ] || \
    [ "$("$ECHO" "$FCHK"| grep -i "error")" ]
then
         "$ECHO" "Error getting the files. The server seems to be not 
available."
         "$ECHO" "Error message:"
         "$ECHO" "$FCHK"
         "$ECHO" "Aborting!"
         exit 0
fi

"$ECHO" "Checking/getting files..."
# First extract the wget message
FCHK=$(/usr/bin/wget --spider -N -t 3 -T 5 "$SIGS_URL1" \
                                -P /etc/snort 2>&1 | grep "not 
retrieving")

/bin/date >> /etc/snort/snort.log

"$ECHO" "Wget-output:"
"$ECHO" $FCHK

# Logging what we've done and when
"$ECHO" "$FCHK" >> /etc/snort/snort.log
if [ -z "$FCHK"  ]
then
         "$ECHO" "The files on the server seem to be newer."
         "$ECHO" "We will get them now..."
         getrules
         # Reload rules
         "$SERVICE" snort reload
#       restartsnort
else
#       "$ECHO" "The signature files on the server are older or not 
newer."
         "$ECHO" "Doing nothing for now..."
         "$ECHO" "Checking if Snort is running...."
         checksnort
         exit 0
fi

# Send Email

"$ECHO" -e "`ls -lA "$RULESPATH"`\n\nSnort running with PID $("$PIDOF"\
            "$SNORT")" | mail -s "Reloaded Snort signatures on $MACHINE"\
            "$MAILTO"


###############################################################################
###############################################################################

exit 0

#EOF





Edin Dizdarevic wrote:
> 
> Hello,
> 
> Tobias Rice wrote:
> 
> [...]
> 
>> I've heard something about a script that connects to snort.org (I'm
>> assuming), gets the latest rules, updates your sensor, and gives you a
>> report.
> 
> 
> I've written such shell script, I can email it to you, if you wish.
> It gets the signatures from www.snort.org, the MD5-file, generates an
> own MD5-sum and compares it with the one extracted from the downloaded
> file. After that it installs (overwrite) the signatures, kill snort
> with the signal SIGUSR1 and send you an email.
> 
> Regards,
> 
> Edin
> 

-- 
Edin Dizdarevic





More information about the Snort-users mailing list