Sunday, June 26, 2005

Trying Snort VRT Rules and Oinkmaster

Last week I finally registered with Snort.org to gain access to the rules created by the Sourcefire VRT. The process was really simple, especially now that security/oinkmaster is in the FreeBSD ports tree. I describe the experience from the perspective of running Sguil, but the general concepts apply to anyone using Snort.

After registering with Snort.org, logging in, and clicking the "Get Code" button at the bottom of the User Preferences page, I added the code to my oinkmaster.conf file.

url = http://www.snort.org/pub-bin/oinkmaster.cgi/codegoeshere/
snortrules-snapshot-2.3.tar.gz

Then I ran Oinkmaster in the /nsm/rules/testing directory on my Sguild server.

allison:/root# oinkmaster -v -o /nsm/rules/testing
Loading /usr/local/etc/oinkmaster.conf
Adding file to ignore list: local.rules.
Adding file to ignore list: deleted.rules.
Adding file to ignore list: snort.conf.
Found gzip binary in /usr/bin
Found tar binary in /usr/bin
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/codegoeshere/
snortrules-snapshot-2.3.tar.gz...
--18:45:57-- http://www.snort.org/pub-bin/oinkmaster.cgi/codegoeshere/
snortrules-snapshot-2.3.tar.gz
=> `/tmp/oinkmaster.5846XLP3r9/url.s8OALJAggP/snortrules.tar.gz'
Resolving www.snort.org... done.
Connecting to www.snort.org[199.107.65.177]:80... connected.
HTTP request sent, awaiting response... 200 OK
...edited...
18:46:00 (500.29 KB/s) - `/tmp/oinkmaster.5846XLP3r9/url.s8OALJAggP/
snortrules.tar.gz' saved [766903]

Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules...
disabled 0, enabled 0, modified 0, total=3166
Setting up rules structures... done.
Comparing new files to the old ones... done.
Updating rules... done.

[***] Results from Oinkmaster started 20050626 18:46:25 [***]
...truncated...

I noticed the following added to the rules files, like x11.rules.

-> Added to x11.rules (17):
# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules"). The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved. All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights). In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.

The old copyrights are gone.

-> Removed from x11.rules (2):
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.

Now that the rules in /nsm/rules/testing are updated, I perform a quick sanity check to see if they work with my snort.conf and version of Snort.

snort -T -c /usr/local/etc/snort.conf
Running in IDS mode

Initializing Network Interface xl0

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface xl0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /usr/local/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
...edited...
2699 Snort rules read...
2699 Option Chains linked into 193 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
...edited...
--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.3.3 (Build 14)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.


Snort sucessfully loaded all rules and checked all rule chains!
...edited...
Snort exiting

Now that I know Snort will run with the new rules, I copy them to the directories on the Sguil server corresponding to the rules used on a sensor. I also copy them to the sensor itself after creating an archive of the new rules.

Once I unpack the new rules on the sensor, I try running 'snort -T' again to double-check the validity of the rules. If the rules pass (and they should, being a copy of what I just validated), I shut down the old Snort process and start a new one.

No comments: