Keeping the Rules Up to Date

Problem

In the current Snort build, there are about 3,500 rules. How do I make sure I have the most current rules to protect my network?

Solution

The defacto Snort rule updater is Oinkmaster (http://oinkmaster.sourceforge.net). It allows for scripted and automatic rule updates. This runs as a command-line tool for ease of scripting, but it does have an add-on component for GUI management. The recommended way to use Oinkmaster is to determine when rules have changed, without having it automatically update your rules. If you allow Oinkmaster to update your rules automatically, you open up a big can of trouble for change management and rule management within a security team. However, it's useful if you just want to have a daily comparison between your currently running rules and the rules on www.snort.org.

Download Oinkmaster:

mkdir /opt/oinkmaster mkdir /opt/oinkmaster/CURRENT_RULES mkdir /opt/oinkmaster/NEW

Copy your currently running rules to CURRENT_RULES and compare them with the www.snort.org official rules:

perl oinkmaster.pl -o /opt/oinkmaster/CURRENT_RULES -c -C oinkmaster.conf

As you might have noticed, you don't see the results as they scroll by, so from a Bourne shell, try the following:

# sh>perl oinkmaster.pl -o /opt/oinkmaster/CURRENT_RULES -c -C oinkmaster.conf > OINK_Report.txt 2>&1

For those readers who might convert this to a daily report to show any changes in the official rules, the following script should work:

!#/bin/sh ##### # Checks daily for changes to the currently running Snort rule set # # Runs from cron every 24 hours # EXAMPLE CRONTAB LOG # * 23 * * * /bin/sh /opt/DAILY_SNORT_RULES.sh # ##### # Variables # Date of the report mydate='date "+%c"' # Run oinkmaster Capturing all of the output perl /opt/oinkmaster -o /opt/oinkmaster/CURRENT_RULES -c -C /opt/oinkmaster/oinkmaster.conf > /opt/oinmaster/OINK_Report.txt 2>&1 # Create a function report echo " Snort Rule Change Report " > /opt/oinkmaster/Daily_report.txt echo " " >> /opt/oinkmaster/Daily_report.txt echo " For Date: $mydate " >> /opt/oinkmaster/Daily_report.txt echo " " >> /opt/oinkmaster/Daily_report.txt cat /opt/oinkmaster/OINK_Report.txt >> /opt/oinkmaster/Daily_report.txt # Use mutt to send our emails mutt -s "Daily Snort Changes" IDS_TEAM@organization < /opt/oinkmaster/OINK_Report.txt # FUTURE/ IMPROVEMENTS # Push to web server for a web portal ? # Future? # Other ideas ? # Done !! ##### END OF SCRIPT

 

Discussion

You can configure several options in the oinkmaster.conf file to enable OinkMaster to change your rule sets. With the oinkmaster.conf file, you can specify such things as:

# find the line in the conf file # titled "update_files = .rules$|.config$|.conf$|.txt$|.map$" # then change it to "update_files = .rules$

# find the line in the conf file # titled "skipfile=local.rules" # If you are following the above statement then uncomment # This line by removing the "#"

For example, to modify one or more Snort rules, edit the oinkmaster.conf file. You will need to specify the rule number and the change you want to make such as in the following example, which would be a good reference.

# modifysid 1378 "^alert" | "pass"

This changes Snort rule number 1378 from an alerting rule to a pass rule that will ignore the traffic.

If, however, you want to forcibly enable or disable specific rules, that's possible as well. Use the enablesid and disablesid commands in the oinkmaster.conf file.

To enable a specific rule that was disabled in the official www.snort.org distribution, you would use something like the following:

# enablesid 1325

You can also disable a specific rule that was enabled by www.snort.org's distribution. For example, you could disable a rule that, on your network, is quite noisy with false positives with the following:

# disablesid 1325

So as you can see, Oinkmaster offers quite a bit of functionality for an organization's IDS team.

Finally, if you want a functional GUI for Oinkmaster, an oinkgui.pl file comes with the Oinkmaster distribution under the contrib directory. However, to run this under *nix systems, you will need to have Perl/Tk installed.

To install a new Perl module on a system, if you have root access, download Tk from this site, as found in the Oinkmaster documentation.

http://www.cpan.org/authors/id/NI-S/Tk-800.024.tar.gz

Once downloaded, the simplest way to install a new Perl module is to extract and compile the source code into your local Perl library.

# EXAMPLE tk800.024 perl Makefile.PL make make test make install

If you are on a windows system and want to use the GUI, just download and install the ActivePerl Windows distribution. This build comes with all the components necessary to run the GUI.

# http://www.activestate.com # # Run the GUI perl oinkgui.pl

Once in the GUI, you will need to specify the location of several key components, such as the following:

Path to your Oinkmaster.conf file: C:snort22xOinkmasterOinkmaster.conf Path to your oinkmaster.pl file C:snort22xOinkmasteroinkmaster.pl your output directory C:snort22xOinkmasterlogs

For an example of GUI, see Figure 3-1, as you might find it easier to use than editing the config file itself.

Figure 3-1. Oinkmaster GUI examples

 

See Also

http://oinkmaster.sourceforge.net

Oinkmaster mailing list

Basic Rules You Shouldn t Leave Home Without

Категории