As you use Snort, you may find some of the default rules are not useful to you. You may also find a need for rules...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
that are disabled by default, and you may even need to modify some rules. Since Snort needs regular rule updates just like your AV, it's not practical to manually recreate all of the changes you make each time you download new rules. Fortunately, there is a free tool called Oinkmaster, which does everything you need to maintain your Snort rules, and runs on both Unix and Windows. (It's written in Perl, so you'll need ActivePerl to run it on Windows.)
Oinkmaster is the de-facto rule updater in the Snort community and was released as a production version in May 2004 after several years of beta testing. It is driven by a configuration file in which you define exactly what it should do. First you get the latest rules using HTTP, HTTPS, FTP, file or SCP methods. (You will need an Oinkcode to get the VRT rules from Snort.org (See How to decipher the Oinkcode). Then you define what files to update or skip, what Signature IDs (SIDs) to modify, what SIDs to enable and which ones to disable. You can also 'include' files to an arbitrary depth, which allows for a very modular approach. The configuration file that comes with Oinkmaster is well-documented and contains useful defaults, but you must still review it to make sure you are downloading the correct rule snapshot for the version of Snort you are running and to add your Oinkcode.
While you can use Oinkmaster to directly update your sensors, a better way is to use one configuration file to update a staging directory and report details of what has changed. Once you review and approve the changes you can use a second configuration file to actually update your sensors (See the Oinkmaster FAQ Q3 at oinkmaster.sourceforge.net).
Enabling or disabling SIDs is easy; all you have to do is add the SID in question to an "enablesid" or "disablesid" line. Modifying a SID is not much harder and involves creating a Perl Regular Expression to describe your changes. There is also a template feature to make multiple similar changes. Since Snort rules can also use Regular Expressions, which are so useful in other areas of programming, they're worth learning if you aren't familiar with them.
Version 1.1 was released in October 2004 and adds two new report formats that more clearly show exactly what is different when rules change (see –s and –m in the changelog). Version 1.2 was released in April 2005 and allows 'multiple -u ... [command line] arguments or multiple "url = ..." [statements] in oinkmaster.conf' to facilitate downloading the VRT, Community and Bleeding Snort rules all at once, among other things. Oinkmaster's documentation is well-written, which makes it a great place to start learning about the tool. If you use Snort, take the time to investigate Oinkmaster -- you won't regret it, I promise.
SNORT TECHNICAL GUIDE
Why Snort makes IDS worth the time and effort
How to identify ports
How to deal with switches and segments
Where to place IDS sensors
What OS to use for Snort sensors
How to determine how many interfaces a sensor needs
How to modify and write custom Snort rules
How to define Snort's configuration variables
Where to find Snort rules
How to decipher the Oinkcode
How to verify that Snort is operating
ABOUT THE AUTHOR: JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.