[Snort-users] How do you keep customized rules updated?

Alex Butcher alex.butcher at ...11254...
Thu Feb 22 04:46:36 EST 2007


Steve Bernacki wrote:
> Actually, Oinkmaster works very well for keeping customized rulesets 
> updated as well.  The trick is that it requires a lot of up front work 
> initially to set up the appropriate disablesid/modifysid rules in 
> order to programmatically make your customizations.  However, Once this is 
> done, it makes keeping up with new signature releases a breeze.

Seconded.

Examples of some things I do:

Reclassification, using new, locally-defined classifications:

modifysid * "(MALWARE.*)classtype:([^;]*);(.*)" | "$1 
classtype:malware-activity;$3"

Enabling tagging of sessions:

modifysid * "classtype:[ ]*successful-user;" | 
"classtype:successful-user; tag:host,10,seconds;"

modifysid * "classtype:[ ]*successful-admin;" | 
"classtype:successful-admin; tag:host,10,seconds;"

Adding thresholding:

modifysid * "classtype:[ ]*chat-protocol;" | "classtype:chat-protocol; 
threshold: type limit, track by_src, count 1, seconds 86400;"

ICMP thresholding:

modifysid * "(msg:\"ICMP Destination Unreachable Port Unreachable.*)\)" 
| "$1 threshold: type both, track by_dst, count 800, seconds 600;\)"

modifysid * "(msg:\"ICMP.*PING.*)\)" | "$1 threshold: type both, track 
by_src, count 800, seconds 600;\)"

Regex wizards can probably improve on some of my gnarly regexes. :-)

> Steve

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




More information about the Snort-users mailing list