[Snort-users] Updating Rules Win2K solutions

Scot ~~~ scotw at ...125...
Mon Jun 2 13:37:02 EDT 2003


There are two methods I use to update my sensors, depending on the type of 
traffic being monitored, perhaps one of the solutions below may apply to 
your environment. If not, then don't apply them.

1. Identify updated rules and add them manually (copy/paste), depending on 
whether or not you require the current signatures. For example, on the 
Windows platform you can use fc.exe to compare the old and current rulesets 
for changes. See example below:

C:\Snort\rules>fc /L pop3.rules c:\snort\rules\update\pop3.rules
Comparing files pop3.rules and C:\SNORT\RULES\UPDATE\POP3.RULES
***** pop3.rules
***** C:\SNORT\RULES\UPDATE\POP3.RULES
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux 
overflow"; flow:to_server,established;content:"|<snip>; 
classtype:attempted-admin; sid:288; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO 
overflow"; flow:to_server,established; content:"|<snip>; 
classtype:attempted-admin; sid:289; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper 
overflow"; flow:to_server,established; content:"|<snip>; 
reference:bugtraq,830; reference:cve,CAN-1999-0822; 
classtype:attempted-admin; sid:290; rev:5;)
*****

You could then make a decision based on the new rules whether or not you 
would like to add them to the current pop3.rules file.

2. Use a win32 cmd shell script to grab the current .rules files and 
automatically overwrite the old ones.
I would not recommend this but if it works for you, do it. If it does not 
work for you, then don't do it.

For those Windows snorters who do not wish to utilize cygwin there is 
another solution I would present. I threw together the solution below for 
those interested parties.

1.Get the GNU utilities for Windows at:  
http://unxutils.sourceforge.net/UnxUtils.zip . This zip file is about 3.2MB 
total. Although we only require the wget.exe, gzip.exe, and tar.exe files 
you may find the others useful in the future.

2.Open the UnxUtils.zip file and extract wget.exe, gzip.exe, and tar.exe 
into your %systemdrive%\snort directory.

Note: %systemdrive% may be C:, D:, E:, F: etc� you know.

Also, you don�t have to put the files in the snort directory, I just like to 
keep my eggs in the snort basket. If you don't like the way I do it, then do 
it differently.

By default the compressed zip file will want to extract the files into the 
\usr\local\wbin directory.
If this is the case you can just copy the extracted files over to 
%systemdrive%\snort after extracting it.

3. Create a new file called Snortupdate.bat
4. Edit the snortupdate.bat file, copy and pase the text below into the 
file.
5. Save the snortupdate.bat file and run it.

Start copy below this line:


::---------------------------------------------------------------------------------------
:: Snort Rule File Updater for Win32 CMD Shell
:: Created Aug 2001
:: Updated June 2003
:: No Copyright, No Warranty, this is a script file... ahhh, do whatever you 
want with it.
:: Thrown together over a Diet Cherry Coke by Scot Wiedenfeld
:: Remember to watch and support Enterprise, it's the only Star Trek we have 
left.
::
:: If you want to schedule this to run as a weekly shell script you will 
want to remove the
:: "pause" statement and also the "Set /P" line should be replaced with a 
static variable.
::
::
::
:: Remember, always backup any custom rules you have and give your custom 
.rules file a
:: name other than those used by the typical .rules files. You don't want to 
inadvertantly
:: write over any custom blood-en-sweat rules you've created. Also be aware 
that if you want
:: to run the latest and greatest you will also need to maintain your 
snort.conf file along
:: with the binary "snort.exe" build. Remember, if you've tweaked any of 
your .rules files they
:: will be copied over when this script is run.
::
:: I would recommend running this script manually and then verifying 
functionality after the
:: update.
::
:: If you want to automate everything here are a couple more tips
::
:: Make sure you have snort installed to run as a service, you can use 
either of the following:
::
:: /service /install or use instsrv.exe and srvany.exe out of the NT/2K 
resource kit.
::
:: You can do a "net stop snort" and "net start snort" before and after the 
script below executes.
::
:: Use %errorlevel% EQU to verify that snort restarts without any errors
::
@Echo off
echo.
echo Warning, this script will get the current set of .rules files and
echo write over your present.rules files if they have the same name
echo as the updated .rules files. Please review script prior to executing.
echo.
pause
if exist snortrules-current.tar.gz del snortrules-current.tar.gz
if exist snortrules-current.tar del snortrules-current.tar
if exist snortrules-stable.tar.gz del snortrules-stable.tar.gz
if exist snortrules-stable.tar del snortrules-stable.tar
if NOT exist %systemdrive%\snort\tmp_rules mkdir 
%systemdrive%\snort\tmp_rules
Set /P rulepath=Enter the exact path to your rules directory, e.g. 
C:\snort\rules:
wget http://www.snort.org/dl/rules/snortrules-stable.tar.gz
if %errorlevel% EQU 0 goto NEXT (
) else (
wget http://www.snort.org/dl/rules/snortrules-current.tar.gz
if %errorlevel% EQU 0 goto NEXT (
) else (
Echo %time% %date% wget error, check url or inet 
connectivity>>Wget_Error.log & goto eof
:NEXT
start /wait gzip -d *.gz
if exist snortrules-current.tar tar -xv --directory=/snort/tmp_rules 
<snortrules-current.tar
if exist snortrules-stable.tar tar -xv --directory=/snort/tmp_rules 
<snortrules-stable.tar
if exist snortrules-current.tar del /Q snortrules-current.tar
if exist snortrules-stable.tar del /Q snortrules-stable.tar
Copy /A /V /Y %systemdrive%\snort\tmp_rules\rules\*.rules %rulepath%
if %errorlevel% EQU 0 RD /Q /S %systemdrive%\snort\tmp_rules\ (
) else (
Echo %date% %time% Snort Update Copy Error 
 >>%systemdrive%\snort\Snort_Update_err.log
set rulepath=
:eof
exit
::------------------------------------------------------------------------------------

End Copy above this line:

Live Long and Prosper
Scot Wiedenfeld








-----------------------------------------------------------
"It's all about the Pentium"
                              -Weird AL
-----------------------------------------------------------

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail





More information about the Snort-users mailing list