http://it4training.

com

MODULE 8

Keeping Rules Up Tb Date

About This Module

Rule management is an important aspect of rnaintaining a Snort installation. Rules are updated very frequently and Snort adminisfators need to be able to stay on top ofupdates to counter the latest tlreats. This section describes some simple techniques for keeping rules current.

Module Objectives:

r . r
o

Understand how rules me distributed Describe issues to be concemed with when updating rules Use automated rule updating tools

knplementing shared object rules

217

http://it4training.com

Keeping Rules Up To Date

Rule Maintenance
Slide 151
The primary source for rule updates is www.snort.org, where the latest rule sets are available for download. These rules are created by the Sourcefre@ Vulnerability Research TeamrM (VRT). Rule updates may consist of new rules, modifications to existing rules or removal of rules. To protect against the latest threats it is always good practice to keep your rules current.

Obtaining Updated Rules

The illushation below shows the location in the snort.org site where the rules can be obtained. Note that the rule set you select will depend upon the version of Snort you itre running. Also, the MD5 hash of the rules distribution file is available as well. Its always good practice to check the hash if it's provided on any download.

You may want to jot down the names of the files here as well. ffyou are using an automated tool to download the rules, you'll need to know the file name and location.

YRT Certified Rules

The VRI certified rules undergo a rigorous qualrty control process through Sourcefire's VRI and are the recommended rule sets for production usage of Snort. To obtain VRI certified rules, you have two options:

You can subscribe with Sourcefre to obtain made available at a cost.

VRI certified rule

sets as soon as they are

You can register on the snort.org site and obtain VRT certified rules 30 days after they are released to VRI subscribers at no cost.

Sourcefre will announce, through the Snort Blog and the http://snort.org site the availability of
new rules.

Notes:

218

http://it4training.com
Keeping Rules Up To Date

Yh* &rtbscri$$** Relea*e trrcvides reg$fitered users of $nort.org wttft lrfirnedlate-*eress tc Bre ffia*t {"tp tn date S*ur*sfire V#Y 6ertif*sd Rule,* avsfi$ahNe" H*al*tfr,l'!e *ffiBs l'eq*km a paid, anrrua* subseription. For rrtose lnform*ation mr a subscription click h&r6. or to purcfrase a VRT Rutr*s x**be*rtpt$rn sfittrt* *ii$it ths VRT $t*re

Sseumpmtati*n VRT *dvi*orf I Ruleset cha*Ue lc$

MBS-CI'! Juin,.Z$1'tr

$nort v2.9
*nertru$ea*na*lsh$ti88 t D.tanffi q *nortrufu a-snapsf*ot*!S 05.1a r. Se
h{SS - IS &*g. ?S1"!

MSg

-*$
i'

&{"qfi. ?01't

$nort v2.8.fi.'
*nortrut*a nep*f*fi t.2ffi m1 .tar. cz

ilqSS - 25 &ug,

Ifit1

Yfte ft#lse@,{.1*er Re{* *kar Sq*rcefire VRT Certtfied tsule*,l*pdst r a$wi{sftle gs reg**taned users nf $nort.or"g fte* of cfrarge 3$-dayr after fre imiti*fi releaee b subscribers.

Notes:

219

$illffinf,t*

http://it4training.com

Keepang Rules Up To Date

Changing Rule Sets

Snort has thousands of rules. You may have also added to that number by creating your own customized rules. This rule set, however, is not static. In other words, rules are constantly being updated and new rules are made available by the VRT. This way, the latest threats can be countered and Snort administrators all over the world can protect their networks against the latest threats. While it's nice that there is an active community of concemed security professionals keeping Snort as current as possible, from a practical perspective there are some issues to consider with respect to updating your owrr rule sets and staying current.

Some Things to Consider

Slide 152

Every Snod installation should be tuned for the environment it is monitoring. There are many options for tuning an installation, but one of the primary options is tuning the rules themselves. For performance purposes, you may have disabled some rules or removed entire classes of rules that may not have applied to the environment a given sensor is in. This is no trivial exercise; it often takes some time and lots of close monitoring of your sensors to get it right. Rule updates, if not applied with caution, may overwrite rule files and alter your configurations. With the large mrmber of rules you have to deal with, recovery could be a time consuming, labor intensive effort. For this reasore the wise approach is to have good change control practices in place and automated tools to assist in the effort. Also, upon completion of rule updates, a thorough review of the changes should be conducted to ensure that your de

integrity remains as anticipated.

Notes:

220

sllffifitf$w

http://it4training.com
Keeping Rules Up To Date

Automating the Rule Update Process

Slide 153
Rule updates can be performed manually or automatically. The method that you choose will be primarily dictated by the number of sensors you have to manage and the complexity of your rule configurations. For sensors that are highly tuned to a particular environment, the automated method is probably the better option. Manually re-tuning large numbers of rules may be prone to errors or misconfigurations.
One tool that works well for this application is called "PulledPork." This tool has the ability to do the following:

r
o

Download updates from the site of your choice

Dounload updates from multiple locations Add the new rules to your installation
Update shared object rules
Update the sid-msg.map

. . .

file

As you can see, this is a fairly sophisticated tool with many helpful options. It is freely available from its homepage at http : / / code. google . com/p /pulledpork or from the snort . org site in the downloads /additional--downloads section. This tool is a Perl script, so, obviously, you must have Perl installed along with the needed Perl modules. Keep in mind that this tool is being updated as needed. Everytime there is an update PulledPork may not be rolled into a new tarball. Keep an eye on the source tree and the change log to see what updates are available.

Notes:

221

http://it4training.com

Keeping Rules UP To Date

Installing PulledPork

Slide 154

you've used thus The PulledPork diskibution comes packed in a tarball like the other software rest of the software the package with far. To stay consistent, you should place the PulledPork pulledpork-O is in class used '6'2with packages /u* ilocal- directory. The version ^tn" several svn updates.
Use the following command to unpack it:

lrootGsnortbox snortl# cd /usr,/Iocal frootGsnortbox locaf] # tar zxwf src/pulledpork-O'6'2't-ar'gz

files that Then, enter the newly created pulledpork-0 . 6 .2 directory. There are several using on information for further read to ship with the distribution you should take the time do to you had as code any compile puiledpork. For this instailation, you will not need to locations' their appropriate to files previously. This time, you can simply copy some key

lroot8snortbox 1ocall # cd pulledpork-o'6'2 [rootGsnortbox pulledpork-0' 6'2) # ctrr pulledpork'pl /:uer/LocaL/bj-r: [rootGsnortbox pulledpork-0.6.2]* chmod 755 /usr/Locar/bin/Pulledpork'pl lrootGsnortbox pulledpork-0 . 6.21# rkdir /etc/Pulledpork lrootGsnortbox pulledpork-o . 6.2) * cp elc,/*. conf /etclPulledPork/ IrootGsnortbox put].edpork-0 .6 ' 2) #
Conliguring PulledPork

Slide 155

conf file. configuring The primary configuration file for PulledPork is the pulledpork. advantage of its full take you can so tool this file is critical to the proper operation of the FulledPork will updates' handles functionality. It is importanito understand how PulledPork called file a single into files, consolidate text rules, with the exception of ignored This has the advantage sf simplirying the management of rules' In the

snort . rules.

VRI then these files. The benedt of this is that if a new . rules frle is included from the would be needed update further no would be automatically added to the consolidated file and would include You rules' object to the snort . conf . The same thing occurs with the shared still be may Rulesets file' the directory for the . so files and then include a single stub in the option ignore or the customizedthrough the use of additional configuration files

snort.conf youwouldneedtoincludethisnewfileandexcludealltheother 'ru1es

putledpork. conf'

Notes:

http://it4training.com
Keeping Rules Up To Date

Configuring Location Options

The excerpt from the / etc/pulledpork/pulJ-edpork. information on the various location configuration options:

conf file below

contains

# The rule_url value replaces the old base*url and rule_file configuration # options. You can now specify one or as many rule_url-s as you 1ike, they # must appear as http://whaL.site.com/lrulesfi1e.tar.gzl1,234561 . You can # specify each on an j-ndividual line, or you can speclfy them in a , separated # list i.e. rule_urI=http: //x.y.z/la.Lar.gzll23,hLtp.//z.y.z/lb.tar.gzl456 # note that the url, rule fi1e, and oinkcode j-tself are separated by a pipe # i- . e . url I tarbal.I | 1234567 89 , rule_url=https:/,/www.snort.org/reg-ru1es,/lsnortrules-snapshot.tar.gzl <oi-nkcode> # get the rufe docs ! rul-e_url-:https: /,/www. snort .org/reg-ru1es/ | opensource.gz | <oinkcode) rul_e*url_=https: /,/rules . emergj-ngthreats . net/ | emergj_ng. rules . tar. gz I open + THE FOLIOVflING URL is for etpro downloads, note the tarball- name chanqe! # and the et oinkcode requirement I rule_url=https://rules.emergingthreats.net/letpro.rules.Lar.gz l<et oinkcode> # NOTE above that the VRT snortrules-snapshot does not contain the version # portion of the tarball name, thj-s is because PP now automatj-ca11y populates # this vafue for you, if, however you put the version information in, PP will # NOT populate this value but wj-1l use your value!
I

# Specify rule categories to lqnore from the tarbal-l- in a comma separated list # with no spaces. There are four ways to do this: # 1) Specify the category name with no suff.ix at al-l- to ignore the category regardfess of what rule-tlpe it is, ie: netblos S # 2) Specify the category name with a'.rul-es' suffix to ignore only gid 1 rulefiles l-ocated in the /rules directory of the tarba11, ie: poli-cy.rul-es # # 3) Specify the category name wi-th a '.preproc' suffix to ignore only preprocessor rules located in the /preproc rules directory of the tarbafl, # ie: sensitive-data.preproe # # 4) Specify the cateqory name wi-th a '.so' sufflx to iqnore only shared-object rules l-ocated in the /so_rules directory of the tarbafl, 1e: netbios.so # # The example below ignores dos rules wherever they may appear, sensitive# data preprocessor ruIes, p2p so-rules (while includi-ng gid 1 p2p rules), # and netbios gid-1 rules (whi1e including netbios so-rules): # ignore : dos, sensitive-data.preprocrp2p. so,netbios.rules # These defaul-ts are reasonable for the VRT rul-eset with Snort 2.9.0.x. ignore=de1eted. rules, experimental, ru1es, locaf . rules

Notes:

223

http://it4training.com

Keeping Rules Up To Date

Note the reference to the ooOinkcode". Registered users can generate an Oinkcode when they login to the snort.org site. The Oinkcode goes in the location indicated by the example in order to obtain the VRI certified rules.

Confrguring the Temporary Directory and Path

PulledPork needs to be able to write to a temporary directory during the update process. This directory is defined in the following section:.

# What is our temp path, be sure this path has a bit of space for rule # extraction and manlputatj-on, no trailing s.Iash
temp_path=/tmp

Confrguring the Rules Files, Directories and Sid-msg.map

Pulled_Pork needs to be told where to put the new Snort rules file. This file would then need to

beincludedinthesnort.conf file.Any.rul-esfilesthatyouhavecreatedwouldneedto
be added to this section of this fi1e so that the s id-ms g . map file is updated properly. The sid-msg. map file is a signature mapping file used with applications like Barnyard and

Notes:

224

Hllffirtfrw

http://it4training.com

Keeping Rules UP To Date

section also allows for a Bamyard2. This Portion of the file configures these locations' The creation of a change log.

processed # Wnat path you want the .rules file containing all of the copled we previously 0'4'O' of as changed # rules? (this value has file rufes large single a creating we are now rules, # all of the ! # but stilI keeping a separate fj-le for your so-ru1es rule-path=/usr/locaf / eLc / snortu /rules / snort ' rules

to # tf you are running any rules in your local'ru1es file' we need #knowaboutthemtoproperlybuildasid-msg.mapthatwillcontainyour rules # Iocal.ru1es metadata (msg) information' You can specify other #filesthatarefocaltoyourSystemherebyaddingacommaandmorepaths. EACH value' # remember that the FULI' path must be specified for rules /Lhose' rules, /paLh/lo # loca1-ru1ss=/path/tollhese. 1ocal_rul-es=/usr/1ocal /etc,/sno rL / r:ul-es / \oca1. rules # Where should I put the sid-msg'map file? sid-msg=/usr / locat/etcl snort / sid-msg ' map

#wheredoyouwantmetoputthesidchangelog?Thisisachangelog # that pulledpork maintains of all new sids that are i-mported
s

# this value is oPtional

id-change log= l u ur r ro g,/ s id-change s' lo g

Confrguring the SO-Rules

take advantage of Snort's dynamic Shared Object (SO) rules are binary, compiled rules that

n'''capability'TheyprovideaneasywayofextendingSnort,scapabilitiesby capability effectively coJrn nicatirrg directly with the Sno* engine by way of an API. This the file imposed by ttre stanOarO Snort rules language. This section of
removes any limitations defines the parameters used

fff

updating the rules'

o'stub" file' The stub file is like a a The rules consist of two parts, the binary or . so file and before you can use them you traditional text rule and is used for tuning the . so rule. However, to including the stub frle as must pfoperly conflgure the dynamic plug-in settings in addition

you would

regular rule file.

Notes:

1)4

http://it4training.com
Keeping Rules Up To Date

####### ####### ####### ####### #### ### #### ###

The below section is for so rule pro.cessing only. If you donrt need to use them. . then comment this section out I Alternately, if you are not using pulledpork to process so_ruIes, you can specify -T at runtj-me to blpass this altogether

# What path you want the .so files to actual-Iy go to *i.e. where is it # defined in your snort.conf, needs a trailing slash so ru1 e_path= / us t / Ao ca 1,/ l-ib,/ sno rt_dynami c rule s /

# Path to the snort binary, we need this to generate the stub files snort_path= / us r / lo cal,/bin/ snort
# We need to know where your snort.conf fil-e lives so that we # generate the stub fil-es config*path= /:usr / local- / etc/ snortlsnort. conf
can

+ This is the file that contains all of the shared object rules that puJ-ledpork # has processed, note that this has changed as of 0.4.0 just like the rules_pathl so stub_path= / us r / lo cal / eLc / snort / rul-e s / so rul-e s . ruf e s

# Define your distro, thj-s is for the precompil-ed shared object libs ! # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04 # CentOS-4.6, Centos-4-8, CentOS-s.0, Centos-S-4 # FC-5, FC-9, EC-11, PC-1-2, RHEL-s.0 # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-B-0, FreeBSD-8-1
di-stro=FreeBSD-8.0

Notes:

226

http://it4training.com
Keeping Rules Up To Date

Optional Settings
You can specify other settings for Pulledpork including where to exhact the rule documentation, order for processing modi{ications, processes to HIIP, versioning information and moffication files to process.

####### This next section is optional, but probably pretty useful- to you. ####+## Please read thoroughly! # What do you want to backup and archive? This is a cofilma separated list # of file or directory values. If a directory is specified, PP will reeurse # through said directory and all subdirectories to archive a1l_ files. # the following example backs up all snort confj-g fi1es, ruIes, pulledpork # config files, and snort shared object blnary ru1es. # backup=/usr/Local/etclsnort, /wsr/7oca1/eLc/pwlledpork, /usr/local-/Lib/ snort_dynami-crul-e.s / # what path and filename shoul-d we use for the backup tarball? # note that an epoch time value and the .tgz extension is automatj-cally added # to the backup_fi1e name on completeion i.e. the written file is: # pp_backup. 1295886020.L92 # backup_f ite= /tmp /pp_backup

# Where do you want the signature docs to be copied, if this is commented # out then they will not be copied / extracted. Note that extraeting them # will add consi-derable runtj-me to pulledpork. * docs=/path/to /base /www # # # # # #
The following option, state_order, a11ows you to more finely control the order that pulledpork performs the modJ-fy operations, specifically the enablesid disablesid and dropsid functions. An example use case here would be to disable an entire category and later enable only a rule or two out of it. the valid values are disabl-e, drop, and enabl-e. state_order=disable, drop, enable

Notes:

227

http://it4training.com
Keeping Rules Up To Date

# Define the path to the pj-d files of any running process that you want to # HUP after PP has completed its run. # pid_path-- / v ar / r:urr / snort . pid, / v ar / runlbarnyard. pid, / v ax / run / barnyard2 . pid # and so on... # pid_path- /var / ron/ snort_ethO . pid # This defines the version of snort that you are using, for use ONLy if the # proper snort binary is not on the system that you are fetching the rules wj-th # Defining this value will set the Textonly flag, and thus will NOT a11ow # you to use shared oblect ru1es. Thj-s value MUST contain al-I 4 minor version # numbers. ET rules are now also dependant on this, veri-fy supported ET versi-ons # prior to simply throwing rubbish in this variable kthxl # snort version=2.9.0.0
Rule Modilication Files
You can spect-ry what rule modification files you want to process automatically. These may also be called from the command line. Any options called from the command line will overide the settings in the conliguration file.

# Here you can specify what rul-e modification files to run automatically. # simply unconment and specify the apt path. # enablesi d= / wsr / ao ca1letc/snort /enablesid. conf # dropsid= /usr / Iocal-/ elc / snorL/dropsid. conf # di sable s id=,/usr / 1ocaI / etc /snort,/dis abl-e s id. conf # modifysid=/usr/foca1/etclsnort/modifysid. conf
Selecting Rulesets

Slide 156

The VRI includes metadata in the rules that allow for three basic pre-defined rule sets. These rulesets turn on specific rules for detection (note: at this time PulledPork does not change rule actions to "Drop").

Notes:

228

http://it4training.com
Keeping Rules Up To Date

What j-s

# # # #

the base rufeset that you want to use, please uncornment to use and see the README.RUIESETS for a description of the options. Note that setting this value will disable a1l- ET rulesets if you are Runnj-ng such rul-esets ips_policy=security
The available rulesets are used as follows:

Connectivity - You run a lot of real time applications (VOP, financial transactions, etc), and don't want to nm any rules that could affect the current performance of your sensor. The rules in this category make snort happy, additionally this category focuses on the high profile most likely to affect the largest number of people type of wlnerabilities.
Balanced - You are normal, you run normal stuffand you want normal security protections. This is the best policy to start from if you are new, old, orjust plain average. If you don't have any special requirements for super high speeds or super secure networks start here.

o o

Security - You don't care about dropping your bosses email, everything in your environment is tightly regulated and you don't tolerate people stepping outside of your security policy. This policy hates on IIVI, P2P, vulnerabilities, malware, web apps that cause productivity loss, remote access, and just about anything not related to getting work done. If you run your network with an iron fist start here.

Notes:

,)o

http://it4training.com

Keeping Rules Up To Date

Rule State Modifications

Slide 157

Rules may be disabled, enabled or set to drop utilizing additional configuration files. These

files include disabl-esid. conf , enabl-esid. conf and dropsid. conf. PulledPork supports GIDs I and 3. These files are either enabled in the configuration file or called with a command line option. All the rule modification files accept the same style
arguments as follows.

o o .
O

GID:SID Pairs
Rule Ranges

MS and CVE Rules

PCRE
Categories

Below are examples of how you could modify the rule states

example dropsid. conf

Y2

Note: This fj,le is used to specify what rules you wish to be set to have an action of drop rather than alert. This means that you are running snort inline (more info about infine deplolzments at snort.org).
Example
1:

of modifying state for individual rules

9837,
7 : 121 O, 1 : 33

1034,

1:

90,

L :'7

]-0,

I : 7249, 3 : 13010

Example
L

of modifying state for rule ranges

3:

:220-1-: 3264,

13010-3 : 13013

# Example of modifying state for MS and cve ru1es, note the use of the : # 1n cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301'l # and all MS00 and all cve 2000 related sidsl These support regular expressj-on # matching only after you have specified what you are looking fox, i.e. # MS0O-<regex> or cve:<regex)r the first section CANNOT contain a regular S expression (MS\d{2}-\a+1 wiff Nor work, use the pcre: keyword (befow) # for this. # MSO 9-008, cve : 200 9-0233, bugtraq : 21301, MS00-\d+, cve : 2000-\d+

Notes:

http://it4training.com
Keeping Rules Up To Date

# Example of using the pcre: kelzword to modify rul-estate. the pcre keyword # alfows for full use of regular expression syntax, you do not need to designate # with / and all pcre searches are treated as case insensitive. Eor more # informatj-on about regular expression syntax: # http: / /www.regular-expressions . info/ # The following example modifies state for alt MS07 through MS10 # pcre:MS (0 [7-9] | 10) -\d+ # Example of modifying state for specific categories entirely
#

(see

README. CATEGORIES)

# web-iis, shellcode,

smtp

# any of the above values can be on a single l-i-ne or multiple lines, when # on a single 1j-ne they simply need to be separated by a , # 1:9837,L:220-L:3264,3:13010-3:13013,pcre:MS(0t0-7J)-\d+,MS09-00B,cve:2009o233

# the modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment.

Notes:

231

http://it4training.com

Keeping Rules Up To Date

Slide 158

Rule Categories
Each ruleset from VRI or Emerging Threats @T) contains categories that their rules belong to. These categories may be used in the sid modification configwation files (enablesid, dropsid and disablesid). The categories are listed in the file README. CATEGoRIES in the Pulledpork documentation directory. To implement in the sid modification files list the categories in a comma separated list. The vRT categories available at this time are as follows:

decoder

backdoor imap pop3

lServlces

scan

preprocessor sensitive-data
attack-responses

web-attacks
chat scada

web-client
ddos

bad-traffic

web-coldfusion

icmp pop2 voip

dns dos

info
rpc
web-activex netbios

web-cgi content-replace misc

snmp

mysql
smtp

web-frontpage

web-iis
web-misc

nntp
spyware-put sql telnet

specific-tlreats
web-php

experimental oracle ottrer-ids

exploit finger
p2p

xl1
ftp
policy

tfu
icmp-info

icmp-info

virus

Notes:

232

http://it4training.com
Keeping Rules Up To Date

Rule Modifications

Slide 159

Rulesmaybemodifiedutilizingtheconfigurationfilemodifysid.conf. Thefilefomratis demonstrated below. Note that this feature is only available for GID 1 rules. Great care should
be taken so that rules are not "broken" during this process.

# example modifysid.conf vl-.0 7/25/2010

#

JJC

# formatting 1s simple # <sid or sid list> "what I'm.replacing" "what Itm replacing it with"
+

# Note that this wilJ. only work with GID:1 ru1es, simply because modj-fying # GID:3 stub rules would not actually affect the rule, thusly it will remain # non modifyablel
#

# # # #

If you are attempting to chanqe rulestate (enable,drop,disable) from here then you are doing it wrong, it is much more efficient to do so from within the respective rulestate modi-fication configuration fi1es, please see doc/ and the README file!
1001-0

# the following applies to sid # be s/to_cli-ent/from_server/ 10010 "to_client" "from_server" # the following would replace # rules #* "HTTP PORTS" "HTTPS PORTS"

only and represents what would normally

HTTP PORTS wj-th HTTPS PORTS for

ALI

GID:1

# multiple sids can be specified as noted bel-ow:

302,429,1821 "\$EXTERNAL NET" "\$HOME NET"

Notes:

233

http://it4training.com

Keeping Rules Up To Date

Pulled Pork Command Line Syntax

Slide 160

In its most basic form, PulledPork uses a configuration file specified as an argument with the -c command line switch. PulledPork will proceed to replace the rules according to how you configured the pulledpork. conf file. For a complete list of PulledPork commands use the
help.

-?

option to display the command line

lrootGSnortbox loca1J # pulledpork.pl -?

Usage

: /usr/loca1,/bin,/pu11edpork.pl [-dEgHkInRTVw? -help] -c <config filename] -o (ru1e output path> -O <oinkcode) -s <so_rule output directory> -D <Distro> -S <Snortver> -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path> -h (changelog path> -I (securitylconnectivitylbalanced) -i <path to disablesid.conf> -b <path to dropsid.conf> -e <path to enablesid.conf> -M <path to modifysid.conf> -r <path to docs folder> -K <directory for separate rules files> -he]p/? Print this help info. -b Where the dropsid config file lives. -C Path to your snort.conf -c Where the pulledpork confJ-g file lives. -d Do not ver5-fy signature of rules tarbalI, i.e. downloading fron non VRT or ET focations. -D What Distro are you runnj-ng on, for the so_rul-es Eor latest supported options see http: //www.snort.org/snort-ru1es/sharedobject-ru1es. Valid Dlstro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04, CentOS-4.5, Centos-4-8, CentOS-s.0, Centos-5-4, EC-5, EC-9, FC-11, FC-72, RHEI-5.0, FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, EreeBSD-7.0, EreeBSD-B-0,
FreeBSD-B-1, OpenSUSE-11-3

Options:

Notes:

234

http://it4training.com
Keeping Rules Up To Date

-e Where the enabfesid config file lives. -E Wrj-te ONI,Y the enabled rules to the output fi-les. -g grabonly (download tarball rule file(s) and do NOT process) -h path to the sid changelog if you want to keep one? -H Send a SIGHUP to the pids listed in the config file -I Speci-fy a base ruleset ( -I security, connectivity, or bal-anced, see
READI\4E.

RUIESET)

-i Where the disablesid config file 1ives. -k Keep the rules 1n separate files (using
-K -1
-1, -m -M

-R When processing enablesid, return the rules to their ORIGINAL state -r Where do you want me to put the reference docs (xxxx.txt) -S What version of snort are you using 12.8.6 or 2.9.0) are valid vafues -s trrlhere do you want me to put the so_rules? -T Process text based rufes fi-les only, i.e. DO NOT process so_rules -t Irfhere do you want me to put the so_rule stub fi]-es? ** Thus MUST be uniquely different from the -o option val-ue -u Where do you want me to puff the rules tarbalf from ** E.g., ET, Snort.org. See pulledpork confi-g rule_url option for value ideas -V Print Version and exi-t -v Verbose mode, you know.. for troubleshooting and such nonsense. -w EXTRA Verbose mode, you know. . for in-depth troubleshooting and other such
nonsense

-n -o -p

same fife names as found when reading) Where (what directory) do you want me to put the separate rules fj-}es? l,og Important Info to Syslog (Errors, Successful run etc, al-f items logged as WARN or higher) Where do you want me to read your local..rules for inclusj-on in sid-msg.map where do you want me to put the sid-msg.map file? where the modifysi-d config file 1ives. Do everything other than download of new files (disablesid, etc) Where do you want me to put generic rul-es file? Path to your Snort bj-nary

lrootGsnortbox 1oca1l

Notes:

235

http://it4training.com
Keeping Rules Up To Date

Pulled Pork Commands

Slide 161
Running PulledPork
To run PulledPork there are many command line options. The example below demonstrates using PulledPork.

lrootGsnortbox local-l# pu11edpork.p1 -c /etc/pulledpork,/pulledpork.conf

|lLi-p: / / code. google. com,/p/pulledpork/

'----, \ '--==\\ / .---__\\ \ \//

g_/ I \

PulledPork v0.6.2dev the Cigar Pi-g </ / / /Cummings

\\

.Yl\\_ Copyright (c) 2009-207L JJ / 66\_ cummings j Ggrmail. com \ \ _(") Rules give me wings! /-l I l'--r

\\\

Rules tarball download of snortrules-snapshoL-2971.tar.92.... Prepping rules from snortrules-snapshot-291O.Lar.gz for work...
Done
!

Reading ru1es... Generating Stub Ru1es....

Done

Reading rules... Processing /etclpulledpork/disablesid. conf . . . . Modified 98 rules

Done

Setting Fl-owbit State....

Done

Writing /eLc/ snorL/rules/snort.rufes.

Done Done

..

IVriting /eLc/ snort/ruJ-es/ so ru1es,rules.

Generating sid-msg.map. . . .
Done

..

l7riting
Done Done

etc/ snorL/sid-msg.map.

..

Creating backup at: /:ump/pp backup. 1314373354.L92

Notes:

236

http://it4training.com
Keeping Rules Up To Date

Lab Exercises
Lab #lz PulledPork Installation
Perform a PulledPork installation using the instructions outlined in the installation section this module.

of

Lab #22 Configuration Lab

Configure the fi le / eL c / puttedpo r k,/pul
1e

dpo r k . con

file

as

follows:

Rule sets have been provided for you on bleda. Configure the location and rule file sections of the pulledpork. conf with:

rule_url=htLp:. / /792.168.111.10,/ | snortrules-snapshot-2910 .Lar.gzlL234S

. o

Comment out the other rule_url lines Configure the

rule_path

to point to your new rule file and

local- . rules:

rule_path= / eLc/ snort/ru1es/snort . rules

1oca1_ru1es=/etc /snort /rule
s

/1oca1

rules

Spect& the path to your

sid-msg.map configuration file:

g. map

sid_msg=/

gtcl snort / sid-ms

Update the locations and associated information for the SO rules.

config_path=,/etcl snort /snort . conf so stub_path=/ et c,/ snort / rule s / so_rul-e

distro=CenLos
-

s . rule s

5-4

Notes:

237

http://it4training.com
Keeping Rules Up To Date

Lab #3: Modiff the Optional Settings

I]ncomment and modiff the lines

# backup: / usr / Local / eLc / snorL, / usr / Local / eLc /pul1edpork, local- /f ib / snort_dynamicrules,/
to

/ :usr /

backup:/stclsnort, / eLc /pul).edpork,

snort_dynamicrules,/

/:usr / ]ocal /

ltb /

# backup_f il-e:/tmp /pp_backup

to

backup_fi te:

/Lmp /pp_backup j-d: #di-sabl-es /:usx /Local/ etc/ snort/disabl-esid

conf

to

di

s ab 1 e s

i d: / eL c / pu1 1 edpo r k / di

ab

l- e s j-

d . con

f
save the changes and exit.

Once the changes are made to the

pulledpork. conf

file

Notes:

238

Hllffifirm

http://it4training.com
Keeping Rules Up To Date

Lab#42 Modiff the snort.conf

Add new rule files to the snort.conf
Prior to running the update make the following changes to the

snort . conf

Comment out all the existing rule files (including preprocessor and shared object rules) in the snort. conf EXCEPT the following:

. incl-ude $RULE_PATH/Iocal.ru1es
One way to quickly accomplish this is to use the replace option in VI. Determine the line number that you want to start commenting the includes (for example line 528) and then enter command mode in VI and enter the following command:
:

528,

$s/incJ.ude/#include snort . conf :

Remember that the starting line number may be different in your snort.conf

Add the following includes to Step #7 of the

. incl-ude $RULE_PATH/snort.rul-es . lnclude $RULE PATH,/so rules.rufes

Lab #5: Modify the disablesid.conf
Add rule files to be disabled in the disablesid.conf
To avoid conflicts in future labs we must disable certain rule types. Prior to running the update make the following changes tothe / eLc/ pulledpork/disablesid . conf.

o .

At the bottom of the file add the following entries to disable icmp and icmp-info rules:

icmp, icmp-info
Save the

file and exit.

Notes:

239

http://it4training.com
Keeping Rules Up To Date

Lab #62 Rule Update Exercises

Create snort.rules
There is a reported bug in PulledPork that will generate and error if the file snort.rules does not exist (Issue 91). This will be fixed in an upcoming release. Before we run PulledPork we will create this file.

lrootGsnortbox l-oca1l # touch /etc,/snort/rules/snort.rules

Run an Update with Pulled Pork
Run an update.

froot@snortbox loca]-J# pu11edpork.pl -c /ei-c/rlu]-].edpork,/pulledpork.conf -rrv

Restart Snort and Barnyard2
Snort and Bxnyard2 must be restarted so the new so_rules and sid-msg.map file may be read.

[rootGsnortbox 1ocal] # serwice snortd restart && service barnyard2 restart

Lab#1:Yerify the Rule Count

To observe the number of rules running inside Snort after the update we

var/loq/messages.Ifwesearchforthephrasesnort.

rules

will look at the file

read.wecouldobserve

the numbers earlier in the file versus the last entry. This nurnber should be different after the update. Examine the file / v ar / Lo g / s id*change s . 1 o g to see the rules impacted.

lrootGsnortbox #l eat- /vac/Log/messages I grep \\Snort rules read,f

Look at the / tmp directory. There should be a frle pp_ba ckup . xxxxxxxx xx . t gz that
contains a backup of your old rules and configurations.

Notes:

240

http://it4training.com
Keeping Rules Up To Date

Module Summary
Slide {63
This module presented information regarding rule updates, including discussions of some of the issues you should be concemed with. Your rule set is the backbone of your Snort installation and care should be taken when you perform an update so that your rule tuning efforts are not mitigated. Also discussed, was an introduction to how you can automate the rule update process using PulledPork. Its configuration and usage were discussed in detail in addition to how to exercise its various options.

Notes:

241