Snort + Rules Update

定期update rules，使用 snortconfig、 oinkmaster 
　

snortconfig

[1.] wget http://www.shmoo.com/~bmc/software/snortconfig/Net-Snort-Parser-1.21.tar.gz
      tar zxvf Net-Snort-Parser-1.21.tar.gz
      cd Net-Snort-Parser-1.21
      perl Makefile.PL
      make
      make install
　

[2.] 在這裡面定義依files、classifications、及sids形式設定drop或者alert
         vi HONEYNET.config        

# 依files為主，來更改為drop、或者alert

[files]

drop: shellcode.rules, exploit.rules, rpc.rules
alert: tftp.rules

　

# 依類別型態為主，來更改為drop、或者alert
[classifications]
drop: attempted-admin,bad-unknown, attempted-dos, successful-dos, attempted-user, attempted-admin, successful-user, rpc-portmap-decode, shellcode-detect, denial-of-service, misc-attack
alert: trojan-activity 
　

# 此disable則是把rules註解掉

disable: test.rules
　

# 依sids為主，來更改為drop、或者alert
[sids]

alert: 1289, 1441, 1442, 1443, 519, 520, 518, 1444

[3.] 執行
         snortconfig -inline -file snort_inline.conf -config HONEYNET.config -directory /存放新rules路徑/
　

加個-inline參數是因為要讓它認得snort-inline有的功能，如drop

snortconfig會去顧濾到snort_inline.conf裡所include的rules，不會因註解或無註解，
所以你在snort_inline.conf所include的rules，如果沒在drop-rules裡有檔案的話，
snortconfig會轉編錯誤，就從那個rules之後的rules都沒有內容，
就是說snort_inline.conf裡的rules，如果不要的話，直接拿掉，不要註解。

oinkmaster http://oinkmaster.sourceforge.net/

[1.] wget http://oinkmaster.sourceforge.net/old/oinkmaster-1.2.tar.gz
      tar zxvf oinkmaster-1.2.tar.gz
      cd oinkmaster-1.2
      cp oinkmaster.conf /etc/
      cp oinkmaster.pl /usr/local/bin/

      cp oinkmaster.1 /usr/local/man/man1
　

[2.] vi /etc/oinkmaster.conf

# 定義從網站下載rules
url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz

　

# 定義從網站下載rules後，不要把snort.conf解開放到指定的目錄

skipfile snort.conf

　

# 定義依sid編號來把alert改成drop
modifysid 1378 "^alert" | "drop"

　

# 定義把sid為1378及110的alert改成drop
modifysid 1378,110 "^alert" | "drop"

　

# 星號代表全部rules
modifysid * "^alert" | "drop"

註:
由於www.snort.org網頁在2005年時已更新，所以要下載Rules，必需先註冊，
並得到Oink Code，然後更改下載路徑。
Example:

# url = http://www.snort.org/dl/rules/snortrules-snapshot-2.3.tar.gz
url = http://www.snort.org/pub-bin/oinkmaster.cgi/5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.3.tar.gz

測式

   oinkmaster.pl -T -o /usr/local/ips/etc/drop-rules/

執行
   oinkmaster.pl -o /drop-rules/
　

結果會顯示新的rules與舊的rules的差別

排程 vi /etc/crontab

0 0 * * 6 root oinkmaster.pl -o /etc/snort_inline/drop-rules -b /etc/snort_inline/backup 2>&1 | logger -t oinkmaster
# 排程—————————–新rules位置————————-把舊rules備份位置———————–並把執行過程記錄到syslog裡

排程加入email通知

0 0 * * * root oinkmaster.pl -o /etc/snort_inline/drop-rules -b /etc/snort_inline/backup 2>&1 | mail -s "oinkmaster subject" cross@ssorc.tw

比較 oinkmaster & snortconfig
oinkmaster (舊版)似乎只以sid為更新修改，而snortconfig 則有依files，classtype，sids來作變動
所以

0 0 * * 0 root /usr/local/bin/oinkmaster.pl -o /etc/snort_inline/drop-rules 1> /dev/null 2>&1 ; /usr/bin/snortconfig -inline -file /etc/snort_inline/snort_inline.conf -config /etc/snort_inline/HONEYNET.config -directory /etc/snort_inline/drop-rules/ ; /etc/snort_inline/snort_inline.sh

先用oinkmaster從網站抓rules下來並依sids做更新後(如衝擊為嚴重的給drop)，
再用snortconfig來依files(比如說你要把某個rules裡的全部規則給drop)做更新，
(必需先定義在HONEYNET.config)
　

重點更新:
oinkmaster 1.2版已可以處理整個rules，所以可以不需搭配snortconfig了

modifysid dos.rules, exploit.rules “^alert” | “drop”

結論 oinkmaster 較好用
　

實際應用 /etc/oinkmaster.conf

# download rules from http
url = http://10.1.1.254/snortrulesdl/snortrules-snapshot-2.4.tar.gz

# drop all sids of one rule by self
modifysid attack-responses.rules, backdoor.rules, ddos.rules, dos.rules, other-ids.rules, p2p.rules, scan.rules, icmp.rules "^alert" | "drop"

# drop some sids with serious and severe impact
modifysid 1001,1062,1071,1080,1163,1166,1240,1251,1257,1261,1284,1323,1377,1378,1398,1504,1527,1545,1641,1673,1674,1675,1676,1677,1678,1679,1680,1681,1682,1683,1684,1685,1686,1687,1688,1689,1690,1691,1692,1693,1694,1695,1696,1697,1728,1751,1759,1775,1778,1792,1805,1858,1866,1882,1888,1892,1893,1894,1895,1896,1897,1898,1899,2048,2104,2105,2113,2124,2155,2174,2175,2176,2177,2231,2232,2233,2234,2235,2236,2239,2240,2241,2242,2244,2250,2253,2254,2257,2258,226,2308,2309,2310,2311,2315,2316,2317,2318,2319,2320,2329,2330,2381,2382,2383,2384,2385,2401,2402,2403,2404,2406,2409,2411,2418,2419,2420,2421,2422,2423,2437,2438,2439,2440,2443,2444,2445,2446,2470,2471,2472,2473,2474,2475,2480,2481,2482,2483,2545,2546,2551,2552,2553,2554,2555,2556,2557,2558,2559,2560,2576,2577,2599,2600,2601,2602,2603,2604,2605,2606,2607,2608,2609,2610,2611,2612,2613,2614,2615,2616,2617,2618,2619,2620,2621,2622,2623,2624,2625,2626,2627,2628,2629,2630,2631,2632,2633,2634,2635,2636,2637,2638,2639,2640,2641,2642,2643,2644,2645,2646,2647,2648,2649,2650,2651,2652,2653,2664,2665,2666,2674,2675,2676,2677,2678,2679,2680,2681,2682,2683,2684,2685,2686,2687,2688,2689,2690,2691,2692,2693,2694,2695,2696,2697,2698,2699,2700,2701,2702,2703,2704,2705,2706,2707,2708,2709,2710,2711,2712,2713,2714,2715,2716,2717,2718,2719,2720,2721,2722,2723,2724,2725,2726,2727,2728,2729,2730,2731,2732,2733,2734,2735,2736,2737,2738,2739,2740,2741,2742,2743,2744,2745,2746,2747,2748,2749,2750,2751,2752,2753,2754,2755,2756,2757,2758,2759,2760,2761,2762,2763,2764,2765,2766,2767,2768,2769,2770,2771,2772,2773,2774,2775,2776,2777,2778,2779,2780,2781,2782,2783,2784,2785,2786,2787,2788,2789,2790,2791,2792,2793,2794,2795,2796,2797,2798,2799,2800,2801,2802,2803,2804,2805,2806,2807,2808,2809,2810,2811,2812,2813,2814,2815,2816,2817,2818,2819,2820,2821,2822,2823,2824,2825,2826,2827,2828,2829,2830,2831,2832,2833,2834,2835,2836,2837,2838,2839,2840,2841,2842,2843,2844,2845,2846,2847,2848,2849,2850,2851,2852,2853,2854,2855,2856,2857,2858,2859,2860,2861,2862,2863,2864,2865,2866,2867,2868,2869,2870,2871,2872,2873,2874,2875,2876,2877,2878,2879,2880,2881,2882,2883,2884,2885,2886,2887,2888,2889,2890,2891,2892,2893,2894,2895,2896,2897,2898,2899,2900,2901,2902,2903,2904,2905,2906,2907,2908,2909,2910,2911,2912,2913,2914,2915,2916,2917,2918,2919,2928,2929,2930,2931,2932,2933,2934,2935,2936,2937,2938,2939,2940,2941,2942,2943,2944,2945,2946,2947,2948,2949,2956,2957,2958,2959,2960,2961,2962,2963,2964,2965,2966,2967,2968,2969,2970,2971,2976,2977,2978,2979,2980,2981,2982,2983,2984,2985,2988,2989,2992,2993,2994,2995,2996,2997,2998,2999,3000,3001,3002,3003,3004,3005,3018,3019,3020,3021,3022,3023,3024,3025,3026,3027,3028,3029,3030,3031,3032,3033,3034,3035,3036,3037,3038,3039,304,3040,3041,3042,3043,3044,3045,3046,3047,3048,3049,305,3050,3051,3052,3053,3054,3055,3056,3057,3058,306,3061,307,308,3080,3084,3085,309,3090,3091,3092,3093,3094,3095,3096,3097,3098,3099,310,3100,3101,3102,3103,3104,3105,3106,3107,3108,3109,3110,3111,3112,3113,3114,3115,3116,3117,3118,3119,312,3120,3121,3122,3123,3124,3125,3126,3127,3128,3129,313,3135,3136,3137,3138,3139,3140,3141,3142,3143,3144,3145,3146,3147,3148,3149,3150,3192,3193,3194,3201,326,327,3272,3274,334,335,336,344,3441,3442,3455,3456,3461,3462,3466,3468,3532,3538,3539,3540,3541,3549,3550,3552,3553,356,362,3629,3630,3631,3638,3639,3640,3641,3642,3643,3644,3645,3646,3647,3648,3649,3650,3657,3664,3677,3678,3695,3813,3816,3817,3818,3819,3820,3821,3827,3944,3945,3946,3947,3948,3949,3950,3951,3952,3953,3954,3955,3956,3957,3958,3959,3960,3961,3962,3963,3964,3965,3966,3967,3968,3969,3970,3971,3972,3973,3974,3975,3976,3977,3978,3979,3980,3981,3982,3983,3984,3985,3986,3987,3988,3989,3990,3991,3992,3993,3994,3995,3996,3997,3998,3999,4000,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,4015,4016,4017,4018,4019,4020,4021,4022,4023,4024,4025,4026,4027,4028,4029,4030,4031,4032,4033,4034,4035,4036,4037,4038,4039,4040,4041,4042,4043,4044,4045,4046,4047,4048,4049,4050,4051,4052,4053,4054,4055,4056,4057,4058,4059,4061,4062,4063,4064,4065,4066,4067,4068,4069,4070,4071,4072,4073,4074,4075,4076,4077,4078,4079,4080,4081,4082,4083,4084,4085,4086,4087,4088,4089,4090,4091,4092,4093,4094,4095,4096,4097,4098,4099,4100,4101,4102,4103,4104,4105,4106,4107,4108,4109,4110,4111,4112,4113,4114,4115,4116,4117,4118,4119,4120,4121,4122,4123,4124,4125,4126,4127,4130,4131,4140,4141,4144,4194,4195,4196,4245,4246,4247,4248,4249,4250,4251,4252,4253,4254,4255,4256,4257,4258,4259,4260,4261,4262,4263,4264,4265,4266,4267,4268,4269,4270,4271,4272,4273,4274,4275,4276,4277,4278,4279,4280,4281,4282,4283,4284,4285,4286,4287,4288,4289,4290,4291,4292,4293,4294,4295,4296,4297,4298,4299,4300,4301,4302,4303,4304,4305,4306,4307,4308,4309,4310,4311,4312,4313,4314,4315,4316,4317,4318,4319,4320,4321,4322,4323,4324,4325,4326,4327,4328,4329,4330,4331,4332,4333,4334,4335,4336,4337,4338,4339,4340,4341,4342,4343,4344,4345,4346,4347,4348,4349,4350,4351,4352,4353,4354,4355,4356,4357,4358,4359,4360,4361,4362,4363,4364,4365,4366,4367,4368,4369,4370,4371,4372,4373,4374,4375,4376,4377,4378,4379,4380,4413,4414,4415,4416,4417,4418,4419,4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,4430,4431,4432,4433,4434,4435,4436,4437,4438,4439,4440,4441,4442,4443,4444,4477,4478,4479,4480,4481,4482,4483,4484,4485,4486,4487,4488,4489,4490,4491,4492,4493,4494,4495,4496,4497,4498,4499,4500,4501,4502,4503,4504,4505,4506,4507,4508,4541,4542,4543,4544,4545,4546,4547,4548,4549,4550,4551,4552,4553,4554,4555,4556,4557,4558,4559,4560,4561,4562,4563,4564,4565,4566,4567,4568,4569,4570,4571,4572,4605,4606,4607,4608,4609,4610,4611,4612,4613,4614,4615,4616,4617,4618,4619,4620,4621,4622,4623,4624,4625,4626,4627,4628,4629,4630,4631,4632,4633,4634,4635,4636,4637,4638,4639,4640,4641,4642,4643,4644,4645,4646,4651,4652,4653,4654,4655,4656,4657,4658,4659,4660,4661,4662,4663,4664,4665,4666,4667,4668,4669,4670,4671,4672,4673,4674,4675,4676,4677,4679,4680,4754,4755,4756,4757,4758,4759,4760,4761,4762,4763,4764,4765,4766,4767,4768,4769,4770,4771,4772,4773,4774,4775,4776,4777,4778,4779,4780,4781,4782,4783,4784,4785,4786,4787,4788,4789,4790,4791,4792,4793,4794,4795,4796,4797,4798,4799,4800,4801,4802,4803,4804,4805,4806,4807,4808,4809,4810,4811,4812,4813,4814,4815,4816,4817,4818,4819,4820,4821,4822,4823,4824,4825,494,495,496,497,498,4985,4986,4987,4988,4989,4990,505,507,511,512,517,529,5316,5317,532,5325,5326,5327,5328,5329,533,5330,5331,5332,5437,5438,5439,5440,5441,5442,5443,5444,5445,5446,5447,5448,5449,5450,5451,5452,5453,5454,5455,5456,5457,5458,5459,5460,5461,5462,5463,5464,5465,5466,5467,5468,5469,5470,5471,5472,5473,5474,5475,5476,5477,5478,5479,5480,5481,5482,5483,5484,5485,5486,5487,5488,5489,5490,5491,5492,5493,5494,5495,5496,5497,5498,5499,5500,5501,5502,5503,5504,5505,5506,5507,5508,5509,5510,5511,5512,5513,5514,5515,5516,5517,5518,5519,5520,5521,5522,5523,5524,5525,5526,5527,5528,5529,5530,5531,5532,5533,5534,5535,5536,5537,5538,5539,5540,5541,5542,5543,5544,5545,5546,5547,5548,5677,5678,5679,5680,5681,5682,5683,5684,5695,5710,5711,5712,5713,5714,604,606,609,610,638,639,640,641,642,643,644,645,646,673,676,677,678,679,680,681,682,683,684,685,686,687,688,689,691,692,693,694,706,708,711,724,725,726,727,728,735,904,905,906,907,967,971,1137,1550,1600,1601,1602,1773,1777,1971,227,236,243,244,245,246,247,248,249,250,258,259,260,261,339,506,514,657,665,667,668,669,670,671,734 "^alert" | "drop"