Documente Academic
Documente Profesional
Documente Cultură
com
MODULE 8
Module Objectives:
r . r
o
Understand how rules me distributed Describe issues to be concemed with when updating rules Use automated rule updating tools
217
http://it4training.com
Rule Maintenance
Slide 151
The primary source for rule updates is www.snort.org, where the latest rule sets are available for download. These rules are created by the Sourcefre@ Vulnerability Research TeamrM (VRT). Rule updates may consist of new rules, modifications to existing rules or removal of rules. To protect against the latest threats it is always good practice to keep your rules current.
You may want to jot down the names of the files here as well. ffyou are using an automated tool to download the rules, you'll need to know the file name and location.
You can register on the snort.org site and obtain VRT certified rules 30 days after they are released to VRI subscribers at no cost.
Sourcefre will announce, through the Snort Blog and the http://snort.org site the availability of
new rules.
Notes:
218
http://it4training.com
Keeping Rules Up To Date
Yh* &rtbscri$$** Relea*e trrcvides reg$fitered users of $nort.org wttft lrfirnedlate-*eress tc Bre ffia*t {"tp tn date S*ur*sfire V#Y 6ertif*sd Rule,* avsfi$ahNe" H*al*tfr,l'!e *ffiBs l'eq*km a paid, anrrua* subseription. For rrtose lnform*ation mr a subscription click h&r6. or to purcfrase a VRT Rutr*s x**be*rtpt$rn sfittrt* *ii$it ths VRT $t*re
$nort v2.9
*nertru$ea*na*lsh$ti88 t D.tanffi q *nortrufu a-snapsf*ot*!S 05.1a r. Se
h{SS - IS &*g. ?S1"!
MSg
-*$
i'
&{"qfi. ?01't
$nort v2.8.fi.'
*nortrut*a nep*f*fi t.2ffi m1 .tar. cz
ilqSS - 25 &ug,
Ifit1
Yfte ft#lse@,{.1*er Re{* *kar Sq*rcefire VRT Certtfied tsule*,l*pdst r a$wi{sftle gs reg**taned users nf $nort.or"g fte* of cfrarge 3$-dayr after fre imiti*fi releaee b subscribers.
Notes:
219
$illffinf,t*
http://it4training.com
Slide 152
Every Snod installation should be tuned for the environment it is monitoring. There are many options for tuning an installation, but one of the primary options is tuning the rules themselves. For performance purposes, you may have disabled some rules or removed entire classes of rules that may not have applied to the environment a given sensor is in. This is no trivial exercise; it often takes some time and lots of close monitoring of your sensors to get it right. Rule updates, if not applied with caution, may overwrite rule files and alter your configurations. With the large mrmber of rules you have to deal with, recovery could be a time consuming, labor intensive effort. For this reasore the wise approach is to have good change control practices in place and automated tools to assist in the effort. Also, upon completion of rule updates, a thorough review of the changes should be conducted to ensure that your de
Notes:
220
sllffifitf$w
http://it4training.com
Keeping Rules Up To Date
r
o
Dounload updates from multiple locations Add the new rules to your installation
Update shared object rules
Update the sid-msg.map
. . .
file
As you can see, this is a fairly sophisticated tool with many helpful options. It is freely available from its homepage at http : / / code. google . com/p /pulledpork or from the snort . org site in the downloads /additional--downloads section. This tool is a Perl script, so, obviously, you must have Perl installed along with the needed Perl modules. Keep in mind that this tool is being updated as needed. Everytime there is an update PulledPork may not be rolled into a new tarball. Keep an eye on the source tree and the change log to see what updates are available.
Notes:
221
http://it4training.com
Installing PulledPork
Slide 154
you've used thus The PulledPork diskibution comes packed in a tarball like the other software rest of the software the package with far. To stay consistent, you should place the PulledPork pulledpork-O is in class used '6'2with packages /u* ilocal- directory. The version ^tn" several svn updates.
Use the following command to unpack it:
lroot8snortbox 1ocall # cd pulledpork-o'6'2 [rootGsnortbox pulledpork-0' 6'2) # ctrr pulledpork'pl /:uer/LocaL/bj-r: [rootGsnortbox pulledpork-0.6.2]* chmod 755 /usr/Locar/bin/Pulledpork'pl lrootGsnortbox pulledpork-0 . 6.21# rkdir /etc/Pulledpork lrootGsnortbox pulledpork-o . 6.2) * cp elc,/*. conf /etclPulledPork/ IrootGsnortbox put].edpork-0 .6 ' 2) #
Conliguring PulledPork
Slide 155
conf file. configuring The primary configuration file for PulledPork is the pulledpork. advantage of its full take you can so tool this file is critical to the proper operation of the FulledPork will updates' handles functionality. It is importanito understand how PulledPork called file a single into files, consolidate text rules, with the exception of ignored This has the advantage sf simplirying the management of rules' In the
snort . rules.
VRI then these files. The benedt of this is that if a new . rules frle is included from the would be needed update further no would be automatically added to the consolidated file and would include You rules' object to the snort . conf . The same thing occurs with the shared still be may Rulesets file' the directory for the . so files and then include a single stub in the option ignore or the customizedthrough the use of additional configuration files
putledpork. conf'
Notes:
http://it4training.com
Keeping Rules Up To Date
contains
# The rule_url value replaces the old base*url and rule_file configuration # options. You can now specify one or as many rule_url-s as you 1ike, they # must appear as http://whaL.site.com/lrulesfi1e.tar.gzl1,234561 . You can # specify each on an j-ndividual line, or you can speclfy them in a , separated # list i.e. rule_urI=http: //x.y.z/la.Lar.gzll23,hLtp.//z.y.z/lb.tar.gzl456 # note that the url, rule fi1e, and oinkcode j-tself are separated by a pipe # i- . e . url I tarbal.I | 1234567 89 , rule_url=https:/,/www.snort.org/reg-ru1es,/lsnortrules-snapshot.tar.gzl <oi-nkcode> # get the rufe docs ! rul-e_url-:https: /,/www. snort .org/reg-ru1es/ | opensource.gz | <oinkcode) rul_e*url_=https: /,/rules . emergj-ngthreats . net/ | emergj_ng. rules . tar. gz I open + THE FOLIOVflING URL is for etpro downloads, note the tarball- name chanqe! # and the et oinkcode requirement I rule_url=https://rules.emergingthreats.net/letpro.rules.Lar.gz l<et oinkcode> # NOTE above that the VRT snortrules-snapshot does not contain the version # portion of the tarball name, thj-s is because PP now automatj-ca11y populates # this vafue for you, if, however you put the version information in, PP will # NOT populate this value but wj-1l use your value!
I
# Specify rule categories to lqnore from the tarbal-l- in a comma separated list # with no spaces. There are four ways to do this: # 1) Specify the category name with no suff.ix at al-l- to ignore the category regardfess of what rule-tlpe it is, ie: netblos S # 2) Specify the category name with a'.rul-es' suffix to ignore only gid 1 rulefiles l-ocated in the /rules directory of the tarba11, ie: poli-cy.rul-es # # 3) Specify the category name wi-th a '.preproc' suffix to ignore only preprocessor rules located in the /preproc rules directory of the tarbafl, # ie: sensitive-data.preproe # # 4) Specify the cateqory name wi-th a '.so' sufflx to iqnore only shared-object rules l-ocated in the /so_rules directory of the tarbafl, 1e: netbios.so # # The example below ignores dos rules wherever they may appear, sensitive# data preprocessor ruIes, p2p so-rules (while includi-ng gid 1 p2p rules), # and netbios gid-1 rules (whi1e including netbios so-rules): # ignore : dos, sensitive-data.preprocrp2p. so,netbios.rules # These defaul-ts are reasonable for the VRT rul-eset with Snort 2.9.0.x. ignore=de1eted. rules, experimental, ru1es, locaf . rules
Notes:
223
http://it4training.com
Note the reference to the ooOinkcode". Registered users can generate an Oinkcode when they login to the snort.org site. The Oinkcode goes in the location indicated by the example in order to obtain the VRI certified rules.
# What is our temp path, be sure this path has a bit of space for rule # extraction and manlputatj-on, no trailing s.Iash
temp_path=/tmp
beincludedinthesnort.conf file.Any.rul-esfilesthatyouhavecreatedwouldneedto
be added to this section of this fi1e so that the s id-ms g . map file is updated properly. The sid-msg. map file is a signature mapping file used with applications like Barnyard and
Notes:
224
Hllffirtfrw
http://it4training.com
section also allows for a Bamyard2. This Portion of the file configures these locations' The creation of a change log.
processed # Wnat path you want the .rules file containing all of the copled we previously 0'4'O' of as changed # rules? (this value has file rufes large single a creating we are now rules, # all of the ! # but stilI keeping a separate fj-le for your so-ru1es rule-path=/usr/locaf / eLc / snortu /rules / snort ' rules
to # tf you are running any rules in your local'ru1es file' we need #knowaboutthemtoproperlybuildasid-msg.mapthatwillcontainyour rules # Iocal.ru1es metadata (msg) information' You can specify other #filesthatarefocaltoyourSystemherebyaddingacommaandmorepaths. EACH value' # remember that the FULI' path must be specified for rules /Lhose' rules, /paLh/lo # loca1-ru1ss=/path/tollhese. 1ocal_rul-es=/usr/1ocal /etc,/sno rL / r:ul-es / \oca1. rules # Where should I put the sid-msg'map file? sid-msg=/usr / locat/etcl snort / sid-msg ' map
#wheredoyouwantmetoputthesidchangelog?Thisisachangelog # that pulledpork maintains of all new sids that are i-mported
s
n'''capability'TheyprovideaneasywayofextendingSnort,scapabilitiesby capability effectively coJrn nicatirrg directly with the Sno* engine by way of an API. This the file imposed by ttre stanOarO Snort rules language. This section of
removes any limitations defines the parameters used
fff
o'stub" file' The stub file is like a a The rules consist of two parts, the binary or . so file and before you can use them you traditional text rule and is used for tuning the . so rule. However, to including the stub frle as must pfoperly conflgure the dynamic plug-in settings in addition
you would
Notes:
1)4
http://it4training.com
Keeping Rules Up To Date
The below section is for so rule pro.cessing only. If you donrt need to use them. . then comment this section out I Alternately, if you are not using pulledpork to process so_ruIes, you can specify -T at runtj-me to blpass this altogether
# What path you want the .so files to actual-Iy go to *i.e. where is it # defined in your snort.conf, needs a trailing slash so ru1 e_path= / us t / Ao ca 1,/ l-ib,/ sno rt_dynami c rule s /
# Path to the snort binary, we need this to generate the stub files snort_path= / us r / lo cal,/bin/ snort
# We need to know where your snort.conf fil-e lives so that we # generate the stub fil-es config*path= /:usr / local- / etc/ snortlsnort. conf
can
+ This is the file that contains all of the shared object rules that puJ-ledpork # has processed, note that this has changed as of 0.4.0 just like the rules_pathl so stub_path= / us r / lo cal / eLc / snort / rul-e s / so rul-e s . ruf e s
# Define your distro, thj-s is for the precompil-ed shared object libs ! # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04 # CentOS-4.6, Centos-4-8, CentOS-s.0, Centos-S-4 # FC-5, FC-9, EC-11, PC-1-2, RHEL-s.0 # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-B-0, FreeBSD-8-1
di-stro=FreeBSD-8.0
Notes:
226
http://it4training.com
Keeping Rules Up To Date
Optional Settings
You can specify other settings for Pulledpork including where to exhact the rule documentation, order for processing modi{ications, processes to HIIP, versioning information and moffication files to process.
####### This next section is optional, but probably pretty useful- to you. ####+## Please read thoroughly! # What do you want to backup and archive? This is a cofilma separated list # of file or directory values. If a directory is specified, PP will reeurse # through said directory and all subdirectories to archive a1l_ files. # the following example backs up all snort confj-g fi1es, ruIes, pulledpork # config files, and snort shared object blnary ru1es. # backup=/usr/Local/etclsnort, /wsr/7oca1/eLc/pwlledpork, /usr/local-/Lib/ snort_dynami-crul-e.s / # what path and filename shoul-d we use for the backup tarball? # note that an epoch time value and the .tgz extension is automatj-cally added # to the backup_fi1e name on completeion i.e. the written file is: # pp_backup. 1295886020.L92 # backup_f ite= /tmp /pp_backup
# Where do you want the signature docs to be copied, if this is commented # out then they will not be copied / extracted. Note that extraeting them # will add consi-derable runtj-me to pulledpork. * docs=/path/to /base /www # # # # # #
The following option, state_order, a11ows you to more finely control the order that pulledpork performs the modJ-fy operations, specifically the enablesid disablesid and dropsid functions. An example use case here would be to disable an entire category and later enable only a rule or two out of it. the valid values are disabl-e, drop, and enabl-e. state_order=disable, drop, enable
Notes:
227
http://it4training.com
Keeping Rules Up To Date
# Define the path to the pj-d files of any running process that you want to # HUP after PP has completed its run. # pid_path-- / v ar / r:urr / snort . pid, / v ar / runlbarnyard. pid, / v ax / run / barnyard2 . pid # and so on... # pid_path- /var / ron/ snort_ethO . pid # This defines the version of snort that you are using, for use ONLy if the # proper snort binary is not on the system that you are fetching the rules wj-th # Defining this value will set the Textonly flag, and thus will NOT a11ow # you to use shared oblect ru1es. Thj-s value MUST contain al-I 4 minor version # numbers. ET rules are now also dependant on this, veri-fy supported ET versi-ons # prior to simply throwing rubbish in this variable kthxl # snort version=2.9.0.0
Rule Modilication Files
You can spect-ry what rule modification files you want to process automatically. These may also be called from the command line. Any options called from the command line will overide the settings in the conliguration file.
# Here you can specify what rul-e modification files to run automatically. # simply unconment and specify the apt path. # enablesi d= / wsr / ao ca1letc/snort /enablesid. conf # dropsid= /usr / Iocal-/ elc / snorL/dropsid. conf # di sable s id=,/usr / 1ocaI / etc /snort,/dis abl-e s id. conf # modifysid=/usr/foca1/etclsnort/modifysid. conf
Selecting Rulesets
Slide 156
The VRI includes metadata in the rules that allow for three basic pre-defined rule sets. These rulesets turn on specific rules for detection (note: at this time PulledPork does not change rule actions to "Drop").
Notes:
228
http://it4training.com
Keeping Rules Up To Date
What j-s
# # # #
the base rufeset that you want to use, please uncornment to use and see the README.RUIESETS for a description of the options. Note that setting this value will disable a1l- ET rulesets if you are Runnj-ng such rul-esets ips_policy=security
The available rulesets are used as follows:
Connectivity - You run a lot of real time applications (VOP, financial transactions, etc), and don't want to nm any rules that could affect the current performance of your sensor. The rules in this category make snort happy, additionally this category focuses on the high profile most likely to affect the largest number of people type of wlnerabilities.
Balanced - You are normal, you run normal stuffand you want normal security protections. This is the best policy to start from if you are new, old, orjust plain average. If you don't have any special requirements for super high speeds or super secure networks start here.
o o
Security - You don't care about dropping your bosses email, everything in your environment is tightly regulated and you don't tolerate people stepping outside of your security policy. This policy hates on IIVI, P2P, vulnerabilities, malware, web apps that cause productivity loss, remote access, and just about anything not related to getting work done. If you run your network with an iron fist start here.
Notes:
,)o
http://it4training.com
Slide 157
Rules may be disabled, enabled or set to drop utilizing additional configuration files. These
files include disabl-esid. conf , enabl-esid. conf and dropsid. conf. PulledPork supports GIDs I and 3. These files are either enabled in the configuration file or called with a command line option. All the rule modification files accept the same style
arguments as follows.
o o .
O
GID:SID Pairs
Rule Ranges
Below are examples of how you could modify the rule states
Y2
Note: This fj,le is used to specify what rules you wish to be set to have an action of drop rather than alert. This means that you are running snort inline (more info about infine deplolzments at snort.org).
Example
1:
1034,
1:
90,
L :'7
]-0,
I : 7249, 3 : 13010
Example
L
:220-1-: 3264,
13010-3 : 13013
# Example of modifying state for MS and cve ru1es, note the use of the : # 1n cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301'l # and all MS00 and all cve 2000 related sidsl These support regular expressj-on # matching only after you have specified what you are looking fox, i.e. # MS0O-<regex> or cve:<regex)r the first section CANNOT contain a regular S expression (MS\d{2}-\a+1 wiff Nor work, use the pcre: keyword (befow) # for this. # MSO 9-008, cve : 200 9-0233, bugtraq : 21301, MS00-\d+, cve : 2000-\d+
Notes:
http://it4training.com
Keeping Rules Up To Date
# Example of using the pcre: kelzword to modify rul-estate. the pcre keyword # alfows for full use of regular expression syntax, you do not need to designate # with / and all pcre searches are treated as case insensitive. Eor more # informatj-on about regular expression syntax: # http: / /www.regular-expressions . info/ # The following example modifies state for alt MS07 through MS10 # pcre:MS (0 [7-9] | 10) -\d+ # Example of modifying state for specific categories entirely
#
(see
README. CATEGORIES)
# web-iis, shellcode,
smtp
# any of the above values can be on a single l-i-ne or multiple lines, when # on a single 1j-ne they simply need to be separated by a , # 1:9837,L:220-L:3264,3:13010-3:13013,pcre:MS(0t0-7J)-\d+,MS09-00B,cve:2009o233
# the modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment.
Notes:
231
http://it4training.com
Slide 158
Rule Categories
Each ruleset from VRI or Emerging Threats @T) contains categories that their rules belong to. These categories may be used in the sid modification configwation files (enablesid, dropsid and disablesid). The categories are listed in the file README. CATEGoRIES in the Pulledpork documentation directory. To implement in the sid modification files list the categories in a comma separated list. The vRT categories available at this time are as follows:
decoder
lServlces
scan
preprocessor sensitive-data
attack-responses
web-attacks
chat scada
web-client
ddos
bad-traffic
web-coldfusion
info
rpc
web-activex netbios
mysql
smtp
web-frontpage
web-iis
web-misc
nntp
spyware-put sql telnet
specific-tlreats
web-php
exploit finger
p2p
xl1
ftp
policy
tfu
icmp-info
icmp-info
virus
Notes:
232
http://it4training.com
Keeping Rules Up To Date
Rule Modifications
Slide 159
Rulesmaybemodifiedutilizingtheconfigurationfilemodifysid.conf. Thefilefomratis demonstrated below. Note that this feature is only available for GID 1 rules. Great care should
be taken so that rules are not "broken" during this process.
JJC
# formatting 1s simple # <sid or sid list> "what I'm.replacing" "what Itm replacing it with"
+
# Note that this wilJ. only work with GID:1 ru1es, simply because modj-fying # GID:3 stub rules would not actually affect the rule, thusly it will remain # non modifyablel
#
# # # #
If you are attempting to chanqe rulestate (enable,drop,disable) from here then you are doing it wrong, it is much more efficient to do so from within the respective rulestate modi-fication configuration fi1es, please see doc/ and the README file!
1001-0
# the following applies to sid # be s/to_cli-ent/from_server/ 10010 "to_client" "from_server" # the following would replace # rules #* "HTTP PORTS" "HTTPS PORTS"
ALI
GID:1
Notes:
233
http://it4training.com
Slide 160
In its most basic form, PulledPork uses a configuration file specified as an argument with the -c command line switch. PulledPork will proceed to replace the rules according to how you configured the pulledpork. conf file. For a complete list of PulledPork commands use the
help.
-?
: /usr/loca1,/bin,/pu11edpork.pl [-dEgHkInRTVw? -help] -c <config filename] -o (ru1e output path> -O <oinkcode) -s <so_rule output directory> -D <Distro> -S <Snortver> -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path> -h (changelog path> -I (securitylconnectivitylbalanced) -i <path to disablesid.conf> -b <path to dropsid.conf> -e <path to enablesid.conf> -M <path to modifysid.conf> -r <path to docs folder> -K <directory for separate rules files> -he]p/? Print this help info. -b Where the dropsid config file lives. -C Path to your snort.conf -c Where the pulledpork confJ-g file lives. -d Do not ver5-fy signature of rules tarbalI, i.e. downloading fron non VRT or ET focations. -D What Distro are you runnj-ng on, for the so_rul-es Eor latest supported options see http: //www.snort.org/snort-ru1es/sharedobject-ru1es. Valid Dlstro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04, CentOS-4.5, Centos-4-8, CentOS-s.0, Centos-5-4, EC-5, EC-9, FC-11, FC-72, RHEI-5.0, FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, EreeBSD-7.0, EreeBSD-B-0,
FreeBSD-B-1, OpenSUSE-11-3
Options:
Notes:
234
http://it4training.com
Keeping Rules Up To Date
-e Where the enabfesid config file lives. -E Wrj-te ONI,Y the enabled rules to the output fi-les. -g grabonly (download tarball rule file(s) and do NOT process) -h path to the sid changelog if you want to keep one? -H Send a SIGHUP to the pids listed in the config file -I Speci-fy a base ruleset ( -I security, connectivity, or bal-anced, see
READI\4E.
RUIESET)
-i Where the disablesid config file 1ives. -k Keep the rules 1n separate files (using
-K -1
-1, -m -M
-R When processing enablesid, return the rules to their ORIGINAL state -r Where do you want me to put the reference docs (xxxx.txt) -S What version of snort are you using 12.8.6 or 2.9.0) are valid vafues -s trrlhere do you want me to put the so_rules? -T Process text based rufes fi-les only, i.e. DO NOT process so_rules -t Irfhere do you want me to put the so_rule stub fi]-es? ** Thus MUST be uniquely different from the -o option val-ue -u Where do you want me to puff the rules tarbalf from ** E.g., ET, Snort.org. See pulledpork confi-g rule_url option for value ideas -V Print Version and exi-t -v Verbose mode, you know.. for troubleshooting and such nonsense. -w EXTRA Verbose mode, you know. . for in-depth troubleshooting and other such
nonsense
-n -o -p
same fife names as found when reading) Where (what directory) do you want me to put the separate rules fj-}es? l,og Important Info to Syslog (Errors, Successful run etc, al-f items logged as WARN or higher) Where do you want me to read your local..rules for inclusj-on in sid-msg.map where do you want me to put the sid-msg.map file? where the modifysi-d config file 1ives. Do everything other than download of new files (disablesid, etc) Where do you want me to put generic rul-es file? Path to your Snort bj-nary
lrootGsnortbox 1oca1l
Notes:
235
http://it4training.com
Keeping Rules Up To Date
\\
.Yl\\_ Copyright (c) 2009-207L JJ / 66\_ cummings j Ggrmail. com \ \ _(") Rules give me wings! /-l I l'--r
\\\
Rules tarball download of snortrules-snapshoL-2971.tar.92.... Prepping rules from snortrules-snapshot-291O.Lar.gz for work...
Done
!
..
..
l7riting
Done Done
etc/ snorL/sid-msg.map.
..
Notes:
236
http://it4training.com
Keeping Rules Up To Date
Lab Exercises
Lab #lz PulledPork Installation
Perform a PulledPork installation using the instructions outlined in the installation section this module.
of
dpo r k . con
file
as
follows:
Rule sets have been provided for you on bleda. Configure the location and rule file sections of the pulledpork. conf with:
. o
rule_path
local- . rules:
/1oca1
rules
sid_msg=/
s . rule s
5-4
Notes:
237
http://it4training.com
Keeping Rules Up To Date
# backup: / usr / Local / eLc / snorL, / usr / Local / eLc /pul1edpork, local- /f ib / snort_dynamicrules,/
to
/ :usr /
/:usr / ]ocal /
ltb /
backup_fi te:
conf
to
di
s ab 1 e s
i d: / eL c / pu1 1 edpo r k / di
ab
l- e s j-
d . con
f
save the changes and exit.
pulledpork. conf
file
Notes:
238
Hllffifirm
http://it4training.com
Keeping Rules Up To Date
snort . conf
Comment out all the existing rule files (including preprocessor and shared object rules) in the snort. conf EXCEPT the following:
. incl-ude $RULE_PATH/Iocal.ru1es
One way to quickly accomplish this is to use the replace option in VI. Determine the line number that you want to start commenting the includes (for example line 528) and then enter command mode in VI and enter the following command:
:
528,
Remember that the starting line number may be different in your snort.conf
o .
At the bottom of the file add the following entries to disable icmp and icmp-info rules:
icmp, icmp-info
Save the
Notes:
239
http://it4training.com
Keeping Rules Up To Date
var/loq/messages.Ifwesearchforthephrasesnort.
rules
read.wecouldobserve
the numbers earlier in the file versus the last entry. This nurnber should be different after the update. Examine the file / v ar / Lo g / s id*change s . 1 o g to see the rules impacted.
Notes:
240
http://it4training.com
Keeping Rules Up To Date
Module Summary
Slide {63
This module presented information regarding rule updates, including discussions of some of the issues you should be concemed with. Your rule set is the backbone of your Snort installation and care should be taken when you perform an update so that your rule tuning efforts are not mitigated. Also discussed, was an introduction to how you can automate the rule update process using PulledPork. Its configuration and usage were discussed in detail in addition to how to exercise its various options.
Notes:
241