SnortCP - 08 - Keep Rules Up to Date

MODULE 8 Keeping Rules Up Tb Date

About This Module

Rule management is an important aspect of rnaintaining a Snort installation. Rules are updatedvery frequently and Snort adminisfators need to be able to stay on top ofupdates to counterthe latest tlreats. This section describes some simple techniques for keeping rules current.

Module Objectives:

r Understand how rules me distributed

. Describe issues to be concemed with when updating rules

r Use automated rule updating tools

o knplementing shared object rules

217

http://it4training.com

Keeping Rules Up To Date

Slide 151

Rule Maintenance

The primary source for rule updates is www.snort.org, where the latest rule sets are availablefor download. These rules are created by the Sourcefre@ Vulnerability Research TeamrM(VRT). Rule updates may consist of new rules, modifications to existing rules or removal ofrules. To protect against the latest threats it is always good practice to keep your rules current.

Obtaining Updated Rules

The illushation below shows the location in the snort.org site where the rules can be obtained.Note that the rule set you select will depend upon the version of Snort you itre running. Also,the MD5 hash of the rules distribution file is available as well. Its always good practice tocheck the hash if it's provided on any download.

You may want to jot down the names of the files here as well. ffyou are using an automatedtool to download the rules, you'll need to know the file name and location.

YRT Certified Rules

The VRI certified rules undergo a rigorous qualrty control process through Sourcefire's VRIand are the recommended rule sets for production usage of Snort. To obtain VRI certifiedrules, you have two options:

o You can subscribe with Sourcefre to obtain VRI certified rule sets as soon as they are

made available at a cost.

r You can register on the snort.org site and obtain VRT certified rules 30 days after they arereleased to VRI subscribers at no cost.

Sourcefre will announce, through the Snort Blog and the http://snort.org site the availability ofnew rules.

Notes:

218



Yh* &rtbscri$$** Relea*e trrcvides reg$fitered users of $nort.org wttft lrfirnedlate-*eress tc Breffia*t {"tp tn date S*ur*sfire V#Y 6ertif*sd Rule,* avsfi$ahNe" H*al*tfr,l'!e *ffiBs l'eq*km a paid,anrrua* subseription. For rrtose lnform*ation mr a subscription click h&r6. or to purcfrase a VRTRutr*s x**be*rtpt$rn sfittrt* *ii$it ths VRT $t*re

Sseumpmtati*nVRT *dvi*orf I Ruleset cha*Ue lc$

$nort v2.9*nertru$ea*na*lsh$ti88 t D.tanffi q

*nortrufu a-snapsf*ot*!S 05.1a r. Se

$nort v2.8.fi.'*nortrut*a€ nep*f*fi t.2ffi m1 .tar. cz

MBS-CI'! Juin,.Z$1'tr

h{SS - IS &*g. ?S1"!

MSg -*$ &{"qfi. ?01't

i'

ilqSS - 25 &ug, Ifit1

Yfte ft#lse@,{.1*er Re{* : *kar Sq*rcefire VRT Certtfied tsule*,l*pdst r a$wi{sftle gs

reg**taned users nf $nort.or"g fte* of cfrarge 3$-dayr after fre imiti*fi releaee b subscribers.

Notes:

$illffinf,t*219


Slide 152

Keepang Rules Up To Date

Changing Rule Sets

Snort has thousands of rules. You may have also added to that number by creating your owncustomized rules. This rule set, however, is not static. In other words, rules are constantlybeing updated and new rules are made available by the VRT. This way, the latest threats can becountered and Snort administrators all over the world can protect their networks against thelatest threats. While it's nice that there is an active community of concemed securityprofessionals keeping Snort as current as possible, from a practical perspective there are someissues to consider with respect to updating your owrr rule sets and staying current.

Some Things to Consider

Every Snod installation should be tuned for the environment it is monitoring. There are manyoptions for tuning an installation, but one of the primary options is tuning the rules themselves.For performance purposes, you may have disabled some rules or removed entire classes ofrules that may not have applied to the environment a given sensor is in. This is no trivialexercise; it often takes some time and lots of close monitoring of your sensors to get it right.

Rule updates, if not applied with caution, may overwrite rule files and alter yourconfigurations. With the large mrmber of rules you have to deal with, recovery could be a timeconsuming, labor intensive effort. For this reasore the wise approach is to have good changecontrol practices in place and automated tools to assist in the effort. Also, upon completion ofrule updates, a thorough review of the changes should be conducted to ensure that your deintegrity remains as anticipated.

Notes:

220 *

sllffifitf$w



Slide 153

Automating the Rule Update Process

Rule updates can be performed manually or automatically. The method that you choose will beprimarily dictated by the number of sensors you have to manage and the complexity of yourrule configurations. For sensors that are highly tuned to a particular environment, theautomated method is probably the better option. Manually re-tuning large numbers of rulesmay be prone to errors or misconfigurations.

One tool that works well for this application is called "PulledPork." This tool has the ability todo the following:

r Download updates from the site of your choice

o Dounload updates from multiple locations

. Add the new rules to your installation

. Update shared object rules

. Update the sid-msg.map file

As you can see, this is a fairly sophisticated tool with many helpful options. It is freelyavailable from its homepage at http : / / code. google . com/p /pulledpork or fromthe snort . org site in the downloads /additional--downloads section. This tool is aPerl script, so, obviously, you must have Perl installed along with the needed Perl modules.Keep in mind that this tool is being updated as needed. Everytime there is an updatePulledPork may not be rolled into a new tarball. Keep an eye on the source tree and the changelog to see what updates are available.

Notes:

221


Keeping Rules UP To Date

Slide 154

lrootGsnortbox snortl# cd /usr,/IocalfrootGsnortbox locaf] # tar zxwf src/pulledpork-O'6'2't-ar'gz

Installing PulledPork

The PulledPork diskibution comes packed in a tarball like the other software you've used thus

far. To stay consistent, you should place the PulledPork package with the rest of the software

packages ^tn" /u* ilocal- directory. The version used in class is pulledpork-O '6'2with

several svn updates.

Use the following command to unpack it:

Slide 155

Then, enter the newly created pulledpork-0 . 6 .2 directory. There are several files that

ship with the distribution you should take the time to read for further information on using

puiledpork. For this instailation, you will not need to compile any code as you had to do

previously. This time, you can simply copy some key files to their appropriate locations'

lroot8snortbox 1ocall # cd pulledpork-o'6'2[rootGsnortbox pulledpork-0' 6'2) # ctrr pulledpork'pl /:uer/LocaL/bj-r:

[rootGsnortbox pulledpork-0.6.2]* chmod 755 /usr/Locar/bin/Pulledpork'pllrootGsnortbox pulledpork-0 . 6.21# rkdir /etc/PulledporklrootGsnortbox pulledpork-o . 6.2) * cp elc,/*. conf /etclPulledPork/IrootGsnortbox put].edpork-0 .6 ' 2) #

Conliguring PulledPork

The primary configuration file for PulledPork is the pulledpork. conf file. configuring

this file is critical to the proper operation of the tool so you can take full advantage of its

functionality. It is importanito understand how PulledPork handles updates' FulledPork will

consolidate text rules, with the exception of ignored files, into a single file called

snort . rules. This has the advantage sf simplirying the management of rules' In the

snort.conf youwouldneedtoincludethisnewfileandexcludealltheother 'ru1esfiles. The benedt of this is that if a new . rules frle is included from the VRI then these

would be automatically added to the consolidated file and no further update would be needed

to the snort . conf . The same thing occurs with the shared object rules' You would include

the directory for the . so files and then include a single stub file' Rulesets may still be

customizedthrough the use of additional configuration files or the ignore option in the

putledpork. conf'

Notes:



Configuring Location Options

The excerpt from the / etc/pulledpork/pulJ-edpork. conf file below containsinformation on the various location configuration options:

# The rule_url value replaces the old base*url and rule_file configuration# options. You can now specify one or as many rule_url-s as you 1ike, they# must appear as http://whaL.site.com/lrulesfi1e.tar.gzl1,234561 . You can# specify each on an j-ndividual line, or you can speclfy them in a , separated# list i.e. rule_urI=http: //x.y.z/la.Lar.gzll23,hLtp.//z.y.z/lb.tar.gzl456# note that the url, rule fi1e, and oinkcode j-tself are separated by a pipe

I

# i- . e . url I tarbal.I | 1234567 89 ,rule_url=https:/,/www.snort.org/reg-ru1es,/lsnortrules-snapshot.tar.gzl <oi-nkcode># get the rufe docs !

rul-e_url-:https: /,/www. snort .org/reg-ru1es/ | opensource.gz | <oinkcode)rul_e*url_=https: /,/rules . emergj-ngthreats . net/ | emergj_ng. rules . tar. gz I open+ THE FOLIOVflING URL is for etpro downloads, note the tarball- name chanqe!# and the et oinkcode requirement I

rule_url=https://rules.emergingthreats.net/letpro.rules.Lar.gz l<et oinkcode># NOTE above that the VRT snortrules-snapshot does not contain the version# portion of the tarball name, thj-s is because PP now automatj-ca11y populates# this vafue for you, if, however you put the version information in, PP will# NOT populate this value but wj-1l use your value!

# Specify rule categories to lqnore from the tarbal-l- in a comma

# with no spaces. There are four ways to do this:# 1) Specify the category name with no suff.ix at al-l- to ignoreS regardfess of what rule-tlpe it is, ie: netblos# 2) Specify the category name with a'.rul-es' suffix to ignore only gid 1

# rulefiles l-ocated in the /rules directory of the tarba11, ie: poli-cy.rul-es# 3) Specify the category name wi-th a '.preproc' suffix to ignore only# preprocessor rules located in the /preproc rules directory of the tarbafl,# ie: sensitive-data.preproe# 4) Specify the cateqory name wi-th a '.so' sufflx to iqnore only shared-object# rules l-ocated in the /so_rules directory of the tarbafl, 1e: netbios.so# The example below ignores dos rules wherever they may appear, sensitive-# data preprocessor ruIes, p2p so-rules (while includi-ng gid 1 p2p rules),# and netbios gid-1 rules (whi1e including netbios so-rules):# ignore : dos, sensitive-data.preprocrp2p. so,netbios.rules# These defaul-ts are reasonable for the VRT rul-eset with Snort 2.9.0.x.ignore=de1eted. rules, experimental, ru1es, locaf . rules

separated list

the category

Notes:

223



Note the reference to the ooOinkcode". Registered users can generate an Oinkcode when theylogin to the snort.org site. The Oinkcode goes in the location indicated by the example in orderto obtain the VRI certified rules.

Confrguring the Temporary Directory and Path

PulledPork needs to be able to write to a temporary directory during the update process. Thisdirectory is defined in the following section:.

# What is our temp path, be sure this path has a bit of space for rule# extraction and manlputatj-on, no trailing s.Iashtemp_path=/tmp

Confrguring the Rules Files, Directories and Sid-msg.map

Pulled_Pork needs to be told where to put the new Snort rules file. This file would then need tobeincludedinthesnort.conf file.Any.rul-esfilesthatyouhavecreatedwouldneedtobe added to this section of this fi1e so that the s id-ms g . map file is updated properly. Thesid-msg. map file is a signature mapping file used with applications like Barnyard and

Notes:

224

Hllffirtfrw


a

Bamyard2. This Portion of the

creation of a change log.

Keeping Rules UP To Date

file configures these locations' The section also allows for a

# Wnat path you want the .rules file containing all of the processed

# rules? (this value has changed as of 0'4'O' previously we copled

# all of the rules, now we are creating a single large rufes file# but stilI keeping a separate fj-le for your so-ru1es !

rule-path=/usr/locaf / eLc / snortu /rules / snort ' rules

# tf you are running any rules in your local'ru1es file' we need to

#knowaboutthemtoproperlybuildasid-msg.mapthatwillcontainyour# Iocal.ru1es metadata (msg) information' You can specify other rules

#filesthatarefocaltoyourSystemherebyaddingacommaandmorepaths.# remember that the FULI' path must be specified for EACH value'

# loca1-ru1ss=/path/tollhese. rules, /paLh/lo /Lhose' rules1ocal_rul-es=/usr/1ocal /etc,/sno rL / r:ul-es / \oca1. rules

# Where should I put the sid-msg'map file?sid-msg=/usr / locat/etcl snort / sid-msg ' map

#wheredoyouwantmetoputthesidchangelog?Thisisachangelog# that pulledpork maintains of all new sids that are i-mported

s id-change log= l u ur r ro g,/ s id-change s' lo g

# this value is oPtional

Confrguring the SO-Rules

Shared Object (SO) rules are binary, compiled rules that take advantage of Snort's dynamic

n'''capability'TheyprovideaneasywayofextendingSnort,scapabilitiesbycoJrn nicatirrg directly with the Sno* engine by way of an API. This capability effectively

-

removes any limitations imposed by ttre stanOarO Snort rules language. This section of the file

defines the parameters used fff updating the rules'

The rules consist of two parts, the binary or . so file and a o'stub" file' The stub file is like a

traditional text rule and is used for tuning the . so rule. However, before you can use them you

must pfoperly conflgure the dynamic plug-in settings in addition to including the stub frle as

you would a regular rule file.

Notes:

1)4


################################ ####### ###


The below section is for so rule pro.cessing only. If you donrtneed to use them. . then comment this section out I

Alternately, if you are not using pulledpork to processso_ruIes, you can specify -T at runtj-me to blpass this altogether

that puJ-ledporkthe rules_pathl

libs !

# What path you want the .so files to actual-Iy go to *i.e. where is it# defined in your snort.conf, needs a trailing slashso ru1 e_path= / us t / Ao ca 1,/ l-ib,/ sno rt_dynami c rule s /

# Path to the snort binary, we need this to generate the stub filessnort_path= / us r / lo cal,/bin/ snort

# We need to know where your snort.conf fil-e lives so that we can# generate the stub fil-esconfig*path= /:usr / local- / etc/ snortlsnort. conf

+ This is the file that contains all of the shared object rules# has processed, note that this has changed as of 0.4.0 just likeso stub_path= / us r / lo cal / eLc / snort / rul-e s / so rul-e s . ruf e s

# Define your distro, thj-s is for the precompil-ed shared object# Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04# CentOS-4.6, Centos-4-8, CentOS-s.0, Centos-S-4# FC-5, FC-9, EC-11, PC-1-2, RHEL-s.0# FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-B-0, FreeBSD-8-1di-stro=FreeBSD-8.0

Notes:

226



Optional Settings

You can specify other settings for Pulledpork including where to exhact the ruledocumentation, order for processing modi{ications, processes to HIIP, versioning informationand moffication files to process.

####### This next section is optional, but probably pretty useful- to you.####+## Please read thoroughly!

# What do you want to backup and archive? This is a cofilma separated list# of file or directory values. If a directory is specified, PP will reeurse# through said directory and all subdirectories to archive a1l_ files.# the following example backs up all snort confj-g fi1es, ruIes, pulledpork# config files, and snort shared object blnary ru1es.# backup=/usr/Local/etclsnort, /wsr/7oca1/eLc/pwlledpork, /usr/local-/Lib/snort_dynami-crul-e.s /

# what path and filename shoul-d we use for the backup tarball?# note that an epoch time value and the .tgz extension is automatj-cally added# to the backup_fi1e name on completeion i.e. the written file is:# pp_backup. 1295886020.L92# backup_f ite= /tmp /pp_backup

# Where do you want the signature docs to be copied, if this is commented# out then they will not be copied / extracted. Note that extraeting them# will add consi-derable runtj-me to pulledpork.* docs=/path/to /base /www

# The following option, state_order, a11ows you to more finely control the order# that pulledpork performs the modJ-fy operations, specifically the enablesid# disablesid and dropsid functions. An example use case here would be to# disable an entire category and later enable only a rule or two out of it.# the valid values are disabl-e, drop, and enabl-e.# state_order=disable, drop, enable

Notes:

227


Slide 156


# Define the path to the pj-d files of any running process that you want to# HUP after PP has completed its run.# pid_path-- / v ar / r:urr / snort . pid, / v ar / runlbarnyard. pid, / v ax / run / barnyard2 . pid# and so on...# pid_path- /var / ron/ snort_ethO . pid

# This defines the version of snort that you are using, for use ONLy if the# proper snort binary is not on the system that you are fetching the rules wj-th# Defining this value will set the Textonly flag, and thus will NOT a11ow# you to use shared oblect ru1es. Thj-s value MUST contain al-I 4 minor version# numbers. ET rules are now also dependant on this, veri-fy supported ET versi-ons# prior to simply throwing rubbish in this variable kthxl# snort version=2.9.0.0

Rule Modilication Files

You can spect-ry what rule modification files you want to process automatically. These mayalso be called from the command line. Any options called from the command line will overidethe settings in the conliguration file.

# Here you can specify what rul-e modification files to run automatically.# simply unconment and specify the apt path.# enablesi d= / wsr / ao ca1letc/snort /enablesid. conf# dropsid= /usr / Iocal-/ elc / snorL/dropsid. conf# di sable s id=,/usr / 1ocaI / etc /snort,/dis abl-e s id. conf# modifysid=/usr/foca1/etclsnort/modifysid. conf

Selecting Rulesets

The VRI includes metadata in the rules that allow for three basic pre-defined rule sets. Theserulesets turn on specific rules for detection (note: at this time PulledPork does not change ruleactions to "Drop").

Notes:

228


+

#

#

#

#

What j-s the base rufeset that youand see the README.RUIESETS for aNote that setting this value willRunnj-ng such rul-esetsips_policy=security


want to use, please uncornment to usedescription of the options.disable a1l- ET rulesets if you are

The available rulesets are used as follows:

o Connectivity - You run a lot of real time applications (VOP, financial transactions, etc),and don't want to nm any rules that could affect the current performance of your sensor.The rules in this category make snort happy, additionally this category focuses on the highprofile most likely to affect the largest number of people type of wlnerabilities.

o Balanced - You are normal, you run normal stuffand you want normal security protections.This is the best policy to start from if you are new, old, orjust plain average. If you don'thave any special requirements for super high speeds or super secure networks start here.

o Security - You don't care about dropping your bosses email, everything in yourenvironment is tightly regulated and you don't tolerate people stepping outside of yoursecurity policy. This policy hates on IIVI, P2P, vulnerabilities, malware, web apps that causeproductivity loss, remote access, and just about anything not related to getting work done.If you run your network with an iron fist start here.

Notes:

,)o


Slide 157


Rule State Modifications

o Rules may be disabled, enabled or set to drop utilizing additional configuration files. These

files include disabl-esid. conf , enabl-esid. conf and dropsid. conf.PulledPork supports GIDs I and 3. These files are either enabled in the configuration file orcalled with a command line option. All the rule modification files accept the same style

arguments as follows.o GID:SID Pairs

o Rule Ranges

. MS and CVE Rules

O PCRE

o Categories

Below are examples of how you could modify the rule states

example dropsid. conf Y2

Note: This fj,le is used to specify what rules you wish to be set to havean action of drop rather than alert. This means that you are runningsnort inline (more info about infine deplolzments at snort.org).

Example of modifying state for individual rules1 : 1034, 1 : 9837, 7 : 121 O, 1 : 33 90, L :'7 ]-0, I : 7249, 3 : 13010

Example of modifying state for rule rangesL :220-1-: 3264, 3 : 13010-3 : 13013

# Example of modifying state for MS and cve ru1es, note the use of the :

# 1n cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301'l# and all MS00 and all cve 2000 related sidsl These support regular expressj-on# matching only after you have specified what you are looking fox, i.e.# MS0O-<regex> or cve:<regex)r the first section CANNOT contain a regularS expression (MS\d{2}-\a+1 wiff Nor work, use the pcre: keyword (befow)# for this.# MSO 9-008, cve : 200 9-0233, bugtraq : 21301, MS00-\d+, cve : 2000-\d+

Notes:



# Example of using the pcre: kelzword to modify rul-estate. the pcre keyword# alfows for full use of regular expression syntax, you do not need to designate# with / and all pcre searches are treated as case insensitive. Eor more# informatj-on about regular expression syntax:# http: / /www.regular-expressions . info/# The following example modifies state for alt MS07 through MS10# pcre:MS (0 [7-9] | 10) -\d+

# Example of modifying state for specific categories entirely# (see README. CATEGORIES)# web-iis, shellcode, smtp

# any of the above values can be on a single l-i-ne or multiple lines, when# on a single 1j-ne they simply need to be separated by a ,# 1:9837,L:220-L:3264,3:13010-3:13013,pcre:MS(0t0-7J)-\d+,MS09-00B,cve:2009-o233

# the modifications in this file are for sample/example purposes only and# should not actively be used, you need to modify this file to fit your# environment.

Notes:

231



Rule Categories

Each ruleset from VRI or Emerging Threats @T) contains categories that their rules belong to.These categories may be used in the sid modification configwation files (enablesid, dropsidand disablesid). The categories are listed in the file README. CATEGoRIES in the Pulledporkdocumentation directory. To implement in the sid modification files list the categories in acomma separated list. The vRT categories available at this time are as follows:

decoder

preprocessor

sensitive-data

attack-responses

icmp

pop2

voip

dns

dos

experimental

oracle

ottrer-ids

tfuicmp-info

backdoor

imap

pop3

bad-traffic

info

rpc

web-activex

netbios

nntp

spyware-put

sql

telnet

icmp-info

lServlces

web-attacks

chat

scada

web-cgi

content-replace

misc

snmp

specific-tlreats

web-php

xl1

ftp

policy

scan

web-client

ddos

web-coldfusion

mysql

smtp

web-frontpage

web-iis

web-misc

exploit

finger

p2p

virus

Notes:

Slide 158

232


Slide 159


Rule Modifications

Rulesmaybemodifiedutilizingtheconfigurationfilemodifysid.conf. Thefilefomratisdemonstrated below. Note that this feature is only available for GID 1 rules. Great care shouldbe taken so that rules are not "broken" during this process.

# example modifysid.conf vl-.0 7/25/2010 JJC#

# formatting 1s simple# <sid or sid list> "what I'm.replacing" "what Itm replacing it with"+

# Note that this wilJ. only work with GID:1 ru1es, simply because modj-fying# GID:3 stub rules would not actually affect the rule, thusly it will remain# non modifyablel#

# If you are attempting to chanqe rulestate (enable,drop,disable) from here# then you are doing it wrong, it is much more efficient to do so from within# the respective rulestate modi-fication configuration fi1es, please see doc/# and the README file!

# the following applies to sid 1001-0 only and represents what would normally# be s/to_cli-ent/from_server/10010 "to_client" "from_server"

# the following would replace HTTP PORTS wj-th HTTPS PORTS for ALI GID:1# rules#* "HTTP PORTS" "HTTPS PORTS"

# multiple sids can be specified as noted bel-ow:302,429,1821 "\$EXTERNAL NET" "\$HOME NET"

Notes:

233


Slide 160


Pulled Pork Command Line Syntax

In its most basic form, PulledPork uses a configuration file specified as an argument with the-c command line switch. PulledPork will proceed to replace the rules according to how youconfigured the pulledpork. conf file.

For a complete list of PulledPork commands use the -? option to display the command linehelp.

lrootGSnortbox loca1J # pulledpork.pl -?

Usage : /usr/loca1,/bin,/pu11edpork.pl [-dEgHkInRTVw? -help] -c <config filename]-o (ru1e output path> -O <oinkcode) -s <so_rule output directory> -D <Distro>-S <Snortver> -p <path to your snort binary> -C <path to your snort.conf>-t <sostub output path> -h (changelog path> -I (securitylconnectivitylbalanced)-i <path to disablesid.conf> -b <path to dropsid.conf>-e <path to enablesid.conf> -M <path to modifysid.conf> -r <path to docs folder>-K <directory for separate rules files>

Options:-he]p/? Print this help info.-b Where the dropsid config file lives.-C Path to your snort.conf-c Where the pulledpork confJ-g file lives.-d Do not ver5-fy signature of rules tarbalI, i.e. downloading fron non VRT

or ET focations.-D What Distro are you runnj-ng on, for the so_rul-es

Eor latest supported options see http: //www.snort.org/snort-ru1es/shared-object-ru1es. Valid Dlstro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04,CentOS-4.5, Centos-4-8, CentOS-s.0, Centos-5-4, EC-5, EC-9, FC-11, FC-72,RHEI-5.0, FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, EreeBSD-7.0, EreeBSD-B-0,FreeBSD-B-1, OpenSUSE-11-3

Notes:

234



-e Where the enabfesid config file lives.-E Wrj-te ONI,Y the enabled rules to the output fi-les.-g grabonly (download tarball rule file(s) and do NOT process)-h path to the sid changelog if you want to keep one?-H Send a SIGHUP to the pids listed in the config file-I Speci-fy a base ruleset ( -I security, connectivity, or bal-anced, see

READI\4E. RUIESET)-i Where the disablesid config file 1ives.-k Keep the rules 1n separate files (using same fife names as found when

reading)-K Where (what directory) do you want me to put the separate rules fj-}es?-1 l,og Important Info to Syslog (Errors, Successful run etc, al-f items logged

as WARN or higher)-1, Where do you want me to read your local..rules for inclusj-on in sid-msg.map-m where do you want me to put the sid-msg.map file?-M where the modifysi-d config file 1ives.-n Do everything other than download of new files (disablesid, etc)-o Where do you want me to put generic rul-es file?-p Path to your Snort bj-nary-R When processing enablesid, return the rules to their ORIGINAL state-r Where do you want me to put the reference docs (xxxx.txt)-S What version of snort are you using 12.8.6 or 2.9.0) are valid vafues-s trrlhere do you want me to put the so_rules?-T Process text based rufes fi-les only, i.e. DO NOT process so_rules-t Irfhere do you want me to put the so_rule stub fi]-es?

** Thus MUST be uniquely different from the -o option val-ue-u Where do you want me to puff the rules tarbalf from

** E.g., ET, Snort.org. See pulledpork confi-g rule_url option for valueideas

-V Print Version and exi-t-v Verbose mode, you know.. for-w EXTRA Verbose mode, you know.

nonsenselrootGsnortbox 1oca1l #

troubleshooting and such nonsense.. for in-depth troubleshooting and other such

Notes:

235


Slide 161


Pulled Pork Commands

Running PulledPork

To run PulledPork there are many command line options. The example below demonstratesusing PulledPork.

lrootGsnortbox local-l# pu11edpork.p1 -c /etc/pulledpork,/pulledpork.conf

|lLi-p: / / code. google. com,/p/pulledpork/

'----, \ )'--==\\ / PulledPork v0.6.2dev the. __\ \ /---- \ \/

.Yl\\_ Copyright (c) 2009-207Lg_/ / 66\_ cummings j Ggrmail. com

I \ \ _(")\ /-l I l'--r Rules give me wings!\\ \\\

Cigar Pi-g </ / / /-

JJ Cummings

Rules tarball download of snortrules-snapshoL-2971.tar.92....Prepping rules from snortrules-snapshot-291O.Lar.gz for work...Done !

Reading ru1es...Generating Stub Ru1es....DoneReading rules...Processing /etclpulledpork/disablesid. conf . . . .Modified 98 rulesDoneSetting Fl-owbit State....DoneWriting /eLc/ snorL/rules/snort.rufes. . . .

DoneIVriting /eLc/ snort/ruJ-es/ so ru1es,rules. . . .DoneGenerating sid-msg.map. . . .Donel7riting / etc/ snorL/sid-msg.map. . . .DoneCreating backup at: /:ump/pp backup. 1314373354.L92Done

Notes:

236



Lab Exercises

Lab #lz PulledPork Installation

Perform a PulledPork installation using the instructions outlined in the installation section ofthis module.

Lab #22 Configuration Lab

Configure the fi le / eL c / puttedpo r k,/pul 1 e dpo r k . con f file as follows:

. Rule sets have been provided for you on bleda. Configure the location and rule file sectionsof the pulledpork. conf with:

rule_url=htLp:. / /792.168.111.10,/ | snortrules-snapshot-2910 .Lar.gzlL234S

. Comment out the other rule_url lines

o Configure the rule_path to point to your new rule file and local- . rules:

rule_path= / eLc/ snort/ru1es/snort . rules

1oca1_ru1es=/etc /snort /rule s /1oca1 . rules

. Spect& the path to your sid-msg.map configuration file:

sid_msg=/ gtcl snort / sid-ms g. map

. Update the locations and associated information for the SO rules.

config_path=,/etcl snort /snort . confso stub_path=/ et c,/ snort / rule s / so_rul-e s . rule sdistro=CenLos - 5-4

Notes:

237



Lab #3: Modiff the Optional Settings

. I]ncomment and modiff the lines

# backup: / usr / Local / eLc / snorL, / usr / Local / eLc /pul1edpork, / :usr /local- /f ib / snort_dynamicrules,/

to

backup:/stclsnort, / eLc /pul).edpork, /:usr / ]ocal / ltb /snort_dynamicrules,/

# backup_f il-e:/tmp /pp_backup

to

backup_fi te: /Lmp /pp_backup

#di-sabl-es j-d: /:usx /Local/ etc/ snort/disabl-esid . conf

to

di s ab 1 e s i d: / eL c / pu1 1 edpo r k / di s ab l- e s j- d . con fo Once the changes are made to the pulledpork. conf file save the changes and exit.

Notes:

238

Hllffifirm



Lab#42 Modiff the snort.conf

Add new rule files to the snort.conf

Prior to running the update make the following changes to the snort . conf .

o Comment out all the existing rule files (including preprocessor and shared object rules) inthe snort. conf EXCEPT the following:. incl-ude $RULE_PATH/Iocal.ru1es

One way to quickly accomplish this is to use the replace option in VI. Determine the linenumber that you want to start commenting the includes (for example line 528) and then entercommand mode in VI and enter the following command:

: 528, $s/incJ.ude/#include

Remember that the starting line number may be different in your snort.conf

o Add the following includes to Step #7 of the snort . conf :

. incl-ude $RULE_PATH/snort.rul-es

. lnclude $RULE PATH,/so rules.rufes

Lab #5: Modify the disablesid.conf

Add rule files to be disabled in the disablesid.conf

To avoid conflicts in future labs we must disable certain rule types. Prior to running the updatemake the following changes tothe / eLc/ pulledpork/disablesid . conf.o At the bottom of the file add the following entries to disable icmp and icmp-info rules:

icmp, icmp-info. Save the file and exit.

Notes:

239



Lab #62 Rule Update Exercises

Create snort.rules

There is a reported bug in PulledPork that will generate and error if the file snort.rules does notexist (Issue 91). This will be fixed in an upcoming release. Before we run PulledPork we willcreate this file.

lrootGsnortbox l-oca1l # touch /etc,/snort/rules/snort.rules

Run an Update with Pulled Pork

Run an update.

froot@snortbox loca]-J# pu11edpork.pl -c /ei-c/rlu]-].edpork,/pulledpork.conf -rrv

Restart Snort and Barnyard2

Snort and Bxnyard2 must be restarted so the new so_rules and sid-msg.map file may be read.

[rootGsnortbox 1ocal] # serwice snortd restart && service barnyard2 restart

Lab#1:Yerify the Rule Count

To observe the number of rules running inside Snort after the update we will look at the file /var/loq/messages.Ifwesearchforthephrasesnort. rules read.wecouldobservethe numbers earlier in the file versus the last entry. This nurnber should be different after theupdate. Examine the file / v ar / Lo g / s id*change s . 1 o g to see the rules impacted.

lrootGsnortbox #l eat- /vac/Log/messages I grep \\Snort rules read,f

Look at the / tmp directory. There should be a frle pp_ba ckup . xxxxxxxx xx . t gz thatcontains a backup of your old rules and configurations.

Notes:

240



Slide {63

Module Summary

This module presented information regarding rule updates, including discussions of some ofthe issues you should be concemed with. Your rule set is the backbone of your Snortinstallation and care should be taken when you perform an update so that your rule tuningefforts are not mitigated. Also discussed, was an introduction to how you can automate the ruleupdate process using PulledPork. Its configuration and usage were discussed in detail inaddition to how to exercise its various options.

Notes:

241


Documents

SnortCP - 08 - Keep Rules Up to Date