global rule changes with oinkmaster
For those of you who have upgraded to Snort 2.8.0, I have a quick tip for you. If you hadn’t heard yet, Snort no longer supports the use of the dsize directive within snort rules. Thankfully, the existing rules that use this directive, don’t cause Snort to crash. However, as we all know, the fewer rules Snort has to process, the better it performs. So how do you disable all the rules that use dsize?
It’s really more simple then you might think.
One assumes that if you are familiar with Snort, you most likely use and have a good understanding of Oinkmaster. We can use Oinkmaster for many more useful tasks then just maintaining rule distribution updates. If there ever is a time where a global or mass rule change is needed, Oinkmaster can automate this daunting task.
Oinkmaster allows you to define templates, that will be applied to rules, as they are downloaded and processed. In this case, we need to disable all rules that contain the dsize directive.
#disable all dsize rules#
define_template disable_by_keyword "(.*\bdsize\s*:.+;.*)" | "#${1}"
use_template disable_by_keyword *
Add the above to your oinkmaster.conf, then the next time you update your rules, it will disable the correct rules. It’s worth mentioning, adding a template like this will significantly increase Oinkmaster’s processing time. I’d rather it take Oinkmaster longer to process updates then Snort to drop packets due to bad rules being processed.
Before making any global rule changes like this, I like to backup my rules. Sure, you can gzip them up and all that, but why not automate this process as well. Oinkmaster to the rescue, again. Create a directory where ever you feel appropriate, like /var/tmp/oinkmaster, and then add -b <your path to directory> to oinkmaster at the command line. Each time there are changes to the rules you download, oinkmaster will create a gzip of your rules prior to updating them.
Hope you enjoyed .. as always, experiment and nerd it up.
October 26th, 2007 12:39 pm -
good tip!