Update Snort

2010.3.3 Wed

Once Snort is installed, It is required to install the Snort signature rules and keep them up-to-date.
By chance, there is a perl script that will give us some precious help: Oinkmaster.

#apt-get install oinkmaster

Install or update the rules.

To downlaod the Snort rules, we need to create a free account on the Snort website.
The Snort rules are made by Sourcefire and you can get them for free a few days after the commercial subscription release.

Once you are logged into your Snort account, you can get a code at the bottom of the page.


We need this code in the /etc/oinkmaster.conf file.

You need first to know which Snort version you have:

# snort -V

which generates the following output on our test machine:

,,_ -*> Snort! <*-
o" )~ Version 2.3.2 (Build 12)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.

Modify the "url" settings in the /etc/oinkmaster.conf file as below:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/yourcode_here/ snortrules-snapshot-2.3.tar.gz

This will download the snortrules-snapshot-2.4.tar.gz file. The version number in the file name changes depending on the Snort version you have. (2.0, 2.1, 2.2, 2.3, 2.4)

If you have a 2.6.x Snort version, you need to configure the "url" setting as below:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/yourcode_here/ snortrules-snapshot-CURRENT.tar.gz

Let's create a backup folder.

#mkdir /etc/snort/backup

Let us now update the rules. We must be careful not to run oinkmaster as root particularly if your are not in a test environment.
So let's add a user called oinkmaster.

#useradd oinkmaster

Change some permissions to let oinkmaster user run the oinkmaster software:

#chown -R oinkmaster /etc/snort/backup #chown -R oinkmaster /etc/snort/rules #chown -R oinkmaster /var/run/oinkmaster #chmod 644 /etc/snort/snort.conf

Now, it's time to test the oinkmaster perl script under the oinkmaster user.

#su oinkmaster oinkmaster#oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1

The last instruction means that we call the oinkmaster perl script, we put the new rules in the /etc/snort/rules folder and if there is a change in the new rules, the current /etc/snort/rules will be backed up in the /etc/snort/backup folder.

Here is a example of our backup folder after running oinkmaster:

#dir /etc/snort/backup

rules-backup-20060205-163627.tar.gz

The crontab

Since we are quite lazy, we don't want to manually run this script every day.
A little cron will help us.

crontab -e -u oinkmaster 30 00 * * * oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 >> /dev/null 2>&1

This will update the rules each day at 00:30
(The crontab command will update the /var/spool/cron/crontabs/oinkmaster file)

crontab -e will open nano by default. If you want to open vi instead just type:
#export EDITOR=vi