Today I am performing some maintenance on my Snort IDS, and also practicing for my upcoming Snort CP exam. We shall examine some scripts and applications that can be used to make Snort a little more automated and transparent to the administrator, as well as increase Snort’s overall performance. What I’d like to focus on today is oinkmaster and crontab.

The scope of this post, however, assumes that you have snort installed already, and are advanced enough to understand your IDS system. I am not going to cover the installation of snort at this time. Today I am just going to cover some automation and performance.

Let’s get ready to Snort it up.

So you have snort installed and running, but what is Snort without a working ruleset to check traffic against? Useless is what it is. So let’s talk about the snort rule set and oinkmaster for a minute. There are two main distributions of snort rules: the Sourcefire VRT ruleset and the Bleeding Snort rules. The difference in the two rule sets are this: The VRT ruleset is subscription based ($$$), and a lot more clean then the bleeding edge rules. However, Bleeding edge is free and has the very newest community generated rules (updated daily if not sooner). So if you are poor, and enjoy some very rough around the edges rules, bleeding snort is for you. Sourcefire does provide a free version of their rulesets, but they are at minimum a month behind the subscription service. I use the bleeding edge rules, and thus all examples in this post will be based on that ruleset.

Let’s begin by downloading oinkmaster from here. Save the tarball to a temp location, and uncompress it (tar xfzv oinkmaster-2.0.tar.gz). Oinkmaster does not require any compiling, as it is a set perl scripts. You will need to copy oinkmaster.pl to somewhere logical, like /usr/bin. Then you will then need to copy makesidex.pl to the same location. Makesidex.pl is located in the contrib directory of the oinkmaster tarball that you uncompressed earlier. Now that you have both perl scripts in /usr/bin (or the location of your choice):

I chown’ed both perl scripts to be owned by the account I run snort as: (sudo/root) chown snort:snort /usr/bin/oinkmaster.pl /usr/bin/makesidex.pl

Now, let’s take a look at the oinkmaster configuration file. I use a very very simple one myself; though one day I may dig deeper into it in another post. For now what I use meets my needs (YMMV), my example oinkmaster.conf may be downloaded from here.

Now that we have oinkmaster.pl and makesidex.pl in /usr/bin and the oinkmaster.conf in /etc, we can begin updating our Snort ruleset from Bleeding Edge Snort. I like to do a dry run before I automate anything, that way I know I am not automating a giant error. Before doing a dry run, make sure that /etc/oinkmaster.conf, /etc/snort/rules and the .rules files are all owned by snort (or whatever account you decided to use) and that the *.rules files are properly listed in your snort.conf.

**** DO NOT RUN OINKMASTER AS ROOT ****

(su snort) /usr/bin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/snort/rules
If all went well with the dry run, you should see some beginning output to the console like this:lepus:/etc$ /usr/bin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/snort/rules/
Loading /etc/oinkmaster.conf
Downloading file from http://www.bleedingsnort.com/bleeding.rules.tar.gz… done.
Archive successfully downloaded, unpacking… done.
Setting up rules structures… done.

lepus:/etc# crontab -u snort -e
30 5 * * * /usr/bin/oinkmaster.pl -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o
/etc/snort/rules > /dev/null 2>&1

This will cause oinkmaster to download and update it’s defined rulesets every day at 5:30AM

You will notice an extra step in the command options that I haven’t covered yet, -C /etc/autodisable.conf. This conf file is generated by the makesidex.pl perl script that we copied into /usr/bin earlier. Right off the bat makesidex.pl is not of much use to you, however as time goes on and you customize your rules, it will be your savior. The makesidex.pl and autodisable.conf, generate a record of the individual snort rules you have disabled (# commented out) in each .rules file. If you turned them off once, you don’t want them coming back every morning at 5:30AM do you?

(sudo/root) lepus:/etc# /usr/bin/makesidex.pl /etc/snort/rules/ > /etc/autodisable.conf

Then you will need to chown snort:snort /etc/autodisable.conf

This process does not need to be automated, because unless your sole purpose in life is to write/disable snort rules, not much will be changed by you. Besides, I do not think disabling rules across the board is a good idea, thresholding is there for a reason. But in the event you do disable a ton of rules, makesidex.pl is your friend.

The last step we need to cover is adding another snort user crontab entry. We need to have snort restart itself after the rulesets are updated to take advantage of the new rules. I made my own init.d script for snort, which can be downloaded here. In the snort users crontab I am going to call this init.d script, which you will need to edit, in order for snort to be called properly within your environment. It’ really should not take a long time for oinkmaster to run, unless you are grabbing a bunch of rulesets and updating multiple IDSes … moving on.

Our new snort user’s crontab appears as follows:

30 5 * * * /usr/bin/oinkmaster.pl -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules > /dev/null 2>&1
45 5 * * * /etc/init.d/snort restart > /dev/null 2>&1

Same as before, updating the rules at 5:30AM .. but now we added a line to restart snort at 5:45AM.

Conclusion:
That pretty much sums up part 1, of a behind the scenes look at snort. We covered oinkmaster, VRT and Bleeding edge rulesets as well as automating those processes. In part 2, I will cover barnyard and unified logging. We will also cover some snort.conf tweaks and possibly using an alternate version of libpcap, so that snort can take advantage of using PCAP_FRAMES.

Hope you enjoyed this post, and as always I hope it inspires you to experiment and see what else you can learn.

This entry was posted on Sunday, September 16th, 2007 at 12:05 pm and is filed under geek stuff, snort. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.