Hack #114. Automatically Update Snort’s Rules

Keep your Snort rules up-to-date with Oinkmaster.

If you have only a handful of IDS sensors, keeping your Snort rules up-to-date is a fairly quick and easy process. However, as the number of sensors grows, it can become more difficult. Luckily, you can automatically update your Snort rules with Oinkmaster (http://oinkmaster.sourceforge.net/news.shtml).

Oinkmaster is a Perl script that does much more than just download new Snort signatures. It will also modify the newly downloaded signatures according to rules that you specify or selectively disable them, which is useful when you’ve modified the standard Snort rules to fit your environment more closely or have disabled a rule that was reporting too many false positives.

To install Oinkmaster, simply download the source distribution and unpack it. Then, copy the oinkmaster.pl file from the directory that it created to some suitable place on your system. In addition, you’ll need to copy the oinkmaster.conf file to either /etc or /usr/local/etc. The oinkmaster.conf file that comes with the source distribution is full of comments explaining all the minute options that you can configure.

Oinkmaster is most useful for when you want to update your rules but have a set of rules that you don’t want enabled and that are already commented out in your current Snort rules. To have Oinkmaster automatically disable these rules, use the disablesid directive with the Snort rule IDs (separated by commas) that you want disabled when your rules are updated.

For instance, if you get a lot of ICMP unreachable datagrams on your network, you might have decided that you don’t want to receive alerts when Snort detects this type of traffic and commented out the following rule in your icmp.rules file:

#alert icmp any any -> any any (msg:"ICMP Destination Unreachable 
(Communication Administratively Prohibited)"; itype: 3; icode: 13; sid:485; 
classtype:misc-activity; rev:2;)

This is only one rule, so it’s easy to remember to go back and comment it out again after updating your rules, but this can become quite a chore when you’ve done the same thing with several dozen other rules. If you use Oinkmaster, putting the following line in your oinkmaster.conf file will disable the preceding rule after Oinkmaster has updated your rules with the newest ones available from Snort.org:

disablesid 485

Then, when you want to update your rules, run oinkmaster.pl and tell it where you’d like the updated rules to be placed:

# oinkmaster.pl -o /etc/snort/rules
/oinkmaster.pl -o /usr/local/etc/snort/rules
Loading /usr/local/etc/oinkmaster.conf
Downloading file from http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-2.4.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Downloading file from http://www.bleedingsnort.com/bleeding.rules.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules... disabled 0, enabled 0, modified 0, total=1912
Setting up rules structures... done.
Comparing new files to the old ones... done.
Updating local rules files... done.

[***] Results from Oinkmaster started 20060511 20:21:18 [***]

[*] Rules modifications: [*]
    None.

[*] Non-rule line modifications: [*]
    None.

[+] Added files (consider updating your snort.conf to include them if needed): [+]

    -> bleeding-attack_response.rules
    -> bleeding-dos.rules
    -> bleeding-drop-BLOCK.rules
    -> bleeding-drop.rules
    -> bleeding-dshield-BLOCK.rules
    -> bleeding-dshield.rules
    -> bleeding-exploit.rules
    -> bleeding-game.rules
    -> bleeding-inappropriate.rules
    -> bleeding-malware.rules
    -> bleeding-p2p.rules
    -> bleeding-policy.rules
    -> bleeding-scan.rules
    -> bleeding-sid-msg.map
    -> bleeding-virus.rules
    -> bleeding-web.rules
    -> bleeding.conf
    -> bleeding.rules
    -> community-bot.rules
    -> community-dos.rules
    -> community-exploit.rules
    -> community-ftp.rules
    -> community-game.rules
    -> community-icmp.rules
    -> community-imap.rules
    -> community-inappropriate.rules
    -> community-mail-client.rules
    -> community-misc.rules
    -> community-nntp.rules
    -> community-oracle.rules
    -> community-sid-msg.map
    -> community-sip.rules
    -> community-smtp.rules
    -> community-sql-injection.rules
    -> community-virus.rules
    -> community-web-attacks.rules
    -> community-web-cgi.rules
    -> community-web-client.rules
    -> community-web-dos.rules
    -> community-web-iis.rules
    -> community-web-misc.rules
    -> community-web-php.rules

You’ve now updated the rules from BleedingSnort.com, a community site used for disseminating Snort signatures, and the community rules maintained by Snort.org. If you also want to have Oinkmaster automatically update Sourcefire VRT Certified Rules (see http://www.snort.org/rules/), you can add a line like this to your oinkmaster.conf file:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/ \
  5f6e64e16258a2f94dd7e7b0ef4e5c59cf4216a3/snortrules-snapshot-2.4.tar.gz

Replace the long substring that looks like an SHA1 hash with the code you received when registering for access to the rules.

Now, just add a crontab entry to run Oinkmaster regularly and to restart Snort when it’s finished updating the rules, and you’ll always be up-to-date on the most current Snort signatures. And, as a plus, you won’t have to remember which rules to disable ever again.