Tip

How to automatically update Snort rules

As you use Snort, you may find some of the default rules are not useful to you. You may also find a need for rules that are disabled by default, and you may even need to modify some rules. Since Snort needs regular rule updates

    Requires Free Membership to View

    Login

just like your AV, it's not practical to manually recreate all of the changes you make each time you download new rules. Fortunately, there is a free tool called Oinkmaster, which does everything you need to maintain your Snort rules, and runs on both Unix and Windows. (It's written in Perl, so you'll need ActivePerl to run it on Windows.)

Oinkmaster is the de-facto rule updater in the Snort community and was released as a production version in May 2004 after several years of beta testing. It is driven by a configuration file in which you define exactly what it should do. First you get the latest rules using HTTP, HTTPS, FTP, file or SCP methods. (You will need an Oinkcode to get the VRT rules from Snort.org (See How to decipher the Oinkcode). Then you define what files to update or skip, what Signature IDs (SIDs) to modify, what SIDs to enable and which ones to disable. You can also 'include' files to an arbitrary depth, which allows for a very modular approach. The configuration file that comes with Oinkmaster is well-documented and contains useful defaults, but you must still review it to make sure you are downloading the correct rule snapshot for the version of Snort you are running and to add your Oinkcode.

More Information

Learn more about Sourcefire's rules development process

Will you have to pay for Snort updates?
While you can use Oinkmaster to directly update your sensors, a better way is to use one configuration file to update a staging directory and report details of what has changed. Once you review and approve the changes you can use a second configuration file to actually update your sensors (See the Oinkmaster FAQ Q3 at oinkmaster.sourceforge.net).

Enabling or disabling SIDs is easy; all you have to do is add the SID in question to an "enablesid" or "disablesid" line. Modifying a SID is not much harder and involves creating a Perl Regular Expression to describe your changes. There is also a template feature to make multiple similar changes. Since Snort rules can also use Regular Expressions, which are so useful in other areas of programming, they're worth learning if you aren't familiar with them.

Version 1.1 was released in October 2004 and adds two new report formats that more clearly show exactly what is different when rules change (see –s and –m in the changelog). Version 1.2 was released in April 2005 and allows 'multiple -u ... [command line] arguments or multiple "url = ..." [statements] in oinkmaster.conf' to facilitate downloading the VRT, Community and Bleeding Snort rules all at once, among other things. Oinkmaster's documentation is well-written, which makes it a great place to start learning about the tool. If you use Snort, take the time to investigate Oinkmaster -- you won't regret it, I promise.


SNORT TECHNICAL GUIDE

  Introduction
  Why Snort makes IDS worth the time and effort
  How to identify ports
  How to deal with switches and segments
  Where to place IDS sensors
  What OS to use for Snort sensors
  How to determine how many interfaces a sensor needs
  How to modify and write custom Snort rules
  How to define Snort's configuration variables
  Where to find Snort rules
  How to automatically update Snort rules
  How to decipher the Oinkcode
  How to verify that Snort is operating

ABOUT THE AUTHOR:
JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was first published in May 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top