How to automatically update Snort rules

As you use Snort, you may find some of the default rules are not useful to you. You may also find a need for rules that are disabled by default, and you may even need to modify some rules. Since Snort needs regular rule updates just like your AV, it's not practical to manually recreate all of the changes you make each time you download new rules. Fortunately, there is a free tool called Oinkmaster, which does everything you need to maintain your Snort rules, and runs on both Unix and Windows. (It's written in Perl, so you'll need ActivePerl to run it on Windows.)

Oinkmaster is the de-facto rule updater in the Snort community and was released as a production version in May 2004 after several years of beta testing. It is driven by a configuration file in which you define exactly what it should do. First you get the latest rules using HTTP, HTTPS, FTP, file or SCP methods. (You will need an Oinkcode to get the VRT rules from Snort.org (See How to decipher the Oinkcode). Then you define what files to update or skip, what Signature IDs (SIDs) to modify, what SIDs to enable and which ones to disable. You can also 'include' files to an arbitrary depth, which allows for a very modular approach. The configuration file that comes with Oinkmaster is well-documented and contains useful defaults, but you must still review it to make sure you are downloading the correct rule snapshot for the version of Snort you are running and to add your Oinkcode.

While you can use Oinkmaster to directly update your sensors, a b...

Enabling or disabling SIDs is easy; all you have to do is add the SID in question to an "enablesid" or "disablesid" line. Modifying a SID is not much harder and involves creating a Perl Regular Expression to describe your changes. There is also a template feature to make multiple similar changes. Since Snort rules can also use Regular Expressions, which are so useful in other areas of programming, they're worth learning if you aren't familiar with them.

Version 1.1 was released in October 2004 and adds two new report formats that more clearly show exactly what is different when rules change (see –s and –m in the changelog). Version 1.2 was released in April 2005 and allows 'multiple -u ... [command line] arguments or multiple "url = ..." [statements] in oinkmaster.conf' to facilitate downloading the VRT, Community and Bleeding Snort rules all at once, among other things. Oinkmaster's documentation is well-written, which makes it a great place to start learning about the tool. If you use Snort, take the time to investigate Oinkmaster -- you won't regret it, I promise.

ABOUT THE AUTHOR:

[IMAGE]JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Application and Platform Security,   Open Source Security Tools and Applications,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research Open Source Security Tools and Applications Screencast: How to launch an OpenVAS scan Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 SSH key compromise shuts down Apache website Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Rootkit Hunter demo: Detect and remove Linux rootkits When to use open source security tools over commercial products Screencasts: On-screen demonstrations of security tools Maltego demo: Identifying a website's trust relationships RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.