# Snort and automatic signature updating

## Shienarier

I have installed snort and it seems to be running well. 

 In the snort FAQ http://www.snort.org/docs/FAQ.txt

 there is a script for automatic updates of the dignature files. 

```
 

 #!/bin/sh 

 

 ########################################################################### 

 #### 

 

 # 

 

 # Das Skript zum Herunterladen und installieren neuer IDS-Signaturen. 

 

 # 

 

 ########################################################################### 

 #### 

 

 MAILTO="admin@mydomain.de" 

 

 MACHINE="machine1" 

 

 #set -x 

 

 SIGS_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz" 

 

 MD5_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz.md5" 

 

 WGET="/usr/bin/wget" 

 

 #WGET_PARAMS="-N" 

 

 WGET_PARAMS="-t 3 -T 5 -N -a /etc/snort/snort.log -P /etc/snort" 

 

 # Wget parameters: 

 

 # 

 

 # -t : Retries (here 3) 

 

 # -N : Get the file only if newer 

 

 # -a : Append the log messages to the specified file 

 

 # -P : Save the file to the specified directory 

 

 # -T : Timeout 

 

 ECHO="/bin/echo" 

 

 TAR="/bin/tar" 

 

 KILL="/bin/kill" 

 

 PIDOF="/sbin/pidof" 

 

 SNORT="/usr/local/bin/snort" 

 

 SNORTUSER="snort" 

 

 SNORTGROUP="snort" 

 

 KILLSIG="SIGUSR1" 

 

 SERVICE="/sbin/service" 

 

 # Where is the Snort configuration dir: 

 

 RULESPATH="/etc/snort/snortrules" 

 

 SNORTCFGPATH="/etc/snort" 

 

 MD5SUM="/usr/bin/md5sum" 

 

 MD5SUM_PARAMS="" 

 

 # The list of sensor interfacec divided by blanks 

 

 IFACES="eth0" 

 

 ########################################################################### 

 #### 

 

 # F U N C T I O N S 

 

 # 

 

 ########################################################################### 

 #### 

 

 ########################################################################### 

 #### 

 

 # 

 Die Funktion, die Snort fuer alle def. Interfaces auf dem System startet 

 # 

 

 # 

 

 # 

 

 # 

 Um sie zu erweitern muss man zwei Dinge tun: 

 # 

 

 # 

 1. Die Parameterliste von Interfaces erweitern 

 # 

 

 # 2. Das Konfigurationsfile unter /etc/snort/ 

 snort.conf_ethX anlegen # 

 

 # 

 

 # 

 

 ########################################################################### 

 #### 

 

 restartsnort() { 

 

 # Restarting Snort for all interfaces 

 

 for i in $IFACES; do 

 

 "$ECHO" "Setting up Snort for interface "$i"" 

 

 $ECHO "Restarting Snort..." 

 

 #/usr/bin/killall snort 

 

 if [ -f /var/run/snort_"$i".pid ] 

 

 then 

 

 PID=$("$PIDOF" "$SNORT") 

 

 if [ -z "$PID" ] 

 

 then 

 

 "$SERVICE" snort restart 

 

 else 

 

 #`cat /var/run/snort_"$i".pid` 

 

 "$ECHO" "Restarting Snort running with PID "$PID" and reloading the rules..." 

 

 "$KILL" -s "$KILLSIG" "$PID" 

 

 fi 

 

 else 

 

 "$ECHO" "No PID file for interface "$i" found under /var/ 

 run" 

 

 fi 

 

 "$ECHO" "Starting Snort" 

 

 "$SNORT" -a -b -c "$SNORTCFGPATH""/snort.conf_""$i" -I -D -v 

 

 -i $i -u "$SNORTUSER" -g "$SNORTGROUP" 

 

 PID=`cat /var/run/snort_"$i".pid` 

 

 "$ECHO" "Snort running now with PID "$PID"" 

 

 done 

 

 } 

 

 ########################################################################### 

 #### 

 

 # 

 Die Funktion zum ueberpruefen, ob und wie Snort auf dem System laeuft 

 # 

 

 ########################################################################### 

 #### 

 

 checksnort() { 

 

 SNORTS=$("$PIDOF" "$SNORT" | wc -w | awk '{print $1}') 

 

 SNORT_PIDS=$(/usr/bin/find /var/run -name snort\_eth[0-9]\.pid -ls | 

 

 wc -l | awk '{print $1}') 

 

 "$ECHO" "Snort instances counted: $SNORTS" 

 

 "$ECHO" "Snort PID files found: $SNORT_PIDS" 

 

 # 1. Fall: Snort laeuft nicht oder PID-File nicht da: 

 

 if [ "$SNORTS" = "0" -o "$SNORT_PIDS" = "0" ] 

 

 then 

 

 "$ECHO" "Snort seems to be down or no PID file there..." 

 

 "$ECHO" "Restarting Snort for all Interfaces..." 

 

 "$SERVICE" snort restart 

 

 fi 

 

 # 2. Fall: Anzahl der Instanzen ungleich der Anzahl der PID-Files 

 

 if [ "$SNORTS" -gt "$SNORT_PIDS" ] 

 

 then 

 

 "$ECHO" "More Snort instances than found PID files..." 

 

 "$ECHO" "Something is wrong outthere..." 

 

 "$ECHO" "Stopping all Snort processes..." 

 

 # /usr/bin/killall -9 snort 

 

 "$SERVICE" snort stop 

 

 "$ECHO" "Hold on... Restarting Snort now..." 

 

 "$SERVICE" snort restart 

 

 fi 

 

 

 

 # 

 3. Fall: Anzahl der Instanzen stimmt mit der Anzahl der PID-files ueberein 

 

 

 

 } 

 

 ########################################################################### 

 #### 

 

 ########################################################################### 

 #### 

 

 getrules() { 

 

 # Get the rules, since we know that they are newer... 

 

 $WGET $WGET_PARAMS $SIGS_URL1 

 

 $WGET $WGET_PARAMS $MD5_URL1 

 

 "$ECHO" "Readout the checksum..." 

 

 # MD5-Summe auslesen 

 

 if [ -f /etc/snort/snortrules-stable.tar.gz.md5 ] 

 

 then 

 

 MD5SUM1=`grep MD5 \ 

 

 /etc/snort/snortrules-stable.tar.gz.md5|awk 

 

 '{print $4}'` 

 

 else 

 

 "$ECHO" "Error! No MD5-file found" 

 

 exit 1 

 

 fi 

 

 "$ECHO" "Generating our own checksum..." 

 

 # MD5-Summe bilden 

 

 if [ -f /etc/snort/snortrules-stable.tar.gz ] 

 

 then 

 

 MD5SUM2=`md5sum /etc/snort/snortrules-stable.tar.gz|awk '{print $1}'` 

 

 else 

 

 "$ECHO" "Error! No rules file found" 

 

 exit 1 

 

 fi 

 

 if [ "$MD5SUM1" = "$MD5SUM2" ] 

 

 then 

 

 "$ECHO" "The MD5-Checksum fits!" 

 

 "$ECHO" "$MD5SUM1" 

 

 "$ECHO" "$MD5SUM2" 

 

 "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log 

 

 "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log 

 

 "$ECHO" "Proceeding..." 

 

 # /bin/sleep 1 

 

 else 

 

 "$ECHO" "Error! Wrong checksum! Aborting!" 

 

 "$ECHO" "Install rules manually!" 

 

 "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log 

 

 "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log 

 

 exit 1 

 

 fi 

 

 # Extract the new rules 

 

 if [ -f "/etc/snort/snortrules-stable.tar.gz" ] 

 

 then 

 

 "$ECHO" "Extracting Snort rules..." 

 

 "$TAR" -xzvf /etc/snort/snortrules-stable.tar.gz -C /etc/snort 

 

 else 

 

 "$ECHO" "Lost the file! Something is wrong!" 

 

 "$ECHO" "Aborting!!" 

 

 exit 1 

 

 fi 

 

 # Deleting old rules 

 

 # Existiert das Verzeichnis ueberhaupt? 

 

 if [ -d "$RULESPATH" ] 

 

 then 

 

 # /bin/rm "$RULESPATH"/*.rules 

 

 /bin/mv -f /etc/snort/rules/*.rules "$RULESPATH" 

 

 /bin/cp -f /etc/snort/rules/classification.config "$SNORTCFGPATH" 

 

 else 

 

 "$ECHO" "Missing rules-directory!" 

 

 "$ECHO" "Aborting!" 

 

 exit 1 

 

 fi 

 

 

 

 # Cleaning up... 

 

 /bin/rm -rf /etc/snort/rules 

 

 # Give everything to root 

 

 /bin/chown root:root ${RULESPATH}/* 

 

 } 

 

 ########################################################################### 

 #### 

 

 # 

 M A I N 

 # 

 

 ########################################################################### 

 #### 

 

 # Error handling first 

 

 FCHK=$(/usr/bin/wget -spider -N -t 3 -T 5 "$SIGS_URL1" -P /etc/snort 2>&1) 

 

 ERR_MSG=$("$ECHO" "$FCHK" | egrep -oi "failed error") 

 

 # Log the error message explicitly 

 

 "$ECHO" "$FCHK" >> /etc/snort/snort.log 

 

 # If there is a word "failed" or "error" we break.. 

 

 if [ "$("$ECHO" "$FCHK"| grep -i "failed")" ] || \ 

 

 [ "$("$ECHO" "$FCHK"| grep -i "error")" ] 

 

 then 

 

 "$ECHO" "Error getting the files. The server seems to be not available." 

 

 "$ECHO" "Error message:" 

 

 "$ECHO" "$FCHK" 

 

 "$ECHO" "Aborting!" 

 

 exit 0 

 

 fi 

 

 

 

 "$ECHO" "Checking/getting files..." 

 

 # First extract the wget message 

 

 FCHK=$(/usr/bin/wget -spider -N -t 3 -T 5 "$SIGS_URL1" \ 

 

 -P /etc/snort 2>&1 | grep "not retrieving") 

 

 /bin/date >> /etc/snort/snort.log 

 

 "$ECHO" "Wget-output:" 

 

 "$ECHO" $FCHK 

 

 # Logging what we've done and when 

 

 "$ECHO" "$FCHK" >> /etc/snort/snort.log 

 

 if [ -z "$FCHK" ] 

 

 then 

 

 "$ECHO" "The files on the server seem to be newer." 

 

 "$ECHO" "We will get them now..." 

 

 getrules 

 

 # Reload rules 

 

 "$SERVICE" snort reload 

 

 # restartsnort 

 

 else 

 

 # 

 "$ECHO" "The signature files on the server are older or not newer." 

 

 "$ECHO" "Doing nothing for now..." 

 

 "$ECHO" "Checking if Snort is running...." 

 

 checksnort 

 

 exit 0 

 

 fi 

 

 # Send Email 

 

 "$ECHO" -e "`ls -lA "$RULESPATH"`\n\nSnort running with PID $("$PIDOF"\ 

 

 "$SNORT")" | mail -s "Reloaded Snort signatures on $MACHINE"\ 

 

 "$MAILTO" 

 

 ########################################################################### 

 #### 

 

 ########################################################################### 

 #### 

 

 exit 0 

 

 #EOF 

 
```

 When i run it it stops at "Readout the checksum..." 

 I also noticed that i lack the file /sbin/service 

 Is this Gentoo related?

----------

## outspoken

very old post, but just incase anyone out there is wanting autoupdate scripts to pull the latest and greatest from snort.org i have modified the oinkmaster.pl file so that is works with the latest build "snort 2.3.0" that is in portage.

first emerge "oinkmaster"

then vi /usr/bin/oinkmaster.pl and change the following lines:

```

my $OUTFILE            = 'snortrules-snapshot-CURRENT_s.tar.gz';

my $RULES_DIR          = 'rules';

my $DIST_SNORT_CONF    = "$RULES_DIR/snort.conf";

```

i'm not sure what your files look like but make them like these and they will work.

vi /etc/oinkmaster.conf:

```

url = http://www.snort.org/pub-bin/downloads.cgi/Download/sub_ruls/snortrules-snapshot-CURRENT_s.tar.gz

```

that is all, now run the following command to get oinkmaster to update your rules:

```

oinkmaster.pl -i -o /etc/snort/

```

----------

## lazyleopard

There've been some changes at snort.org in the last week or two. If you want to download updated signatures you now need to register. Oinkmaster does the download job well. Be warned that it's a very good idea to test new rulesets before you put them live. I got caught by an excess of flowbits specifications in the latest web-misc.rules file. Seems I need to upgrade to snort version 2.3.2....

----------

## outspoken

 *lazyleopard wrote:*   

> There've been some changes at snort.org in the last week or two. If you want to download updated signatures you now need to register. Oinkmaster does the download job well. Be warned that it's a very good idea to test new rulesets before you put them live. I got caught by an excess of flowbits specifications in the latest web-misc.rules file. Seems I need to upgrade to snort version 2.3.2....

 

i have registered there. that is a good point to make though. i would not really recommend making use of the oinkmaster program, it was something that i wanted to get working for the sake of editing and making use of the perl script that was at hand.

----------

## lazyleopard

Oinkmaster does a reasonable job of highlighting the things that have changed, and when things go pear-shaped that can be useful. It's always a good idea to be able to back out changes. It's definitely not a good idea to have rules updates happen entirely automatically; if an update goes splat then you're left without anything. Snort 2.3.2 seems to have had some limits bumped to accomodate changes in the current ruleset from snort.org, but Gentoo's only at 2.3.0 which has the lower limits, so I endid up backing out some of the changes that oinkmaster collected this morning in order to keep snort running.

----------

## Donpasquale

oinkmaster wont work here. i think snort doesnt hand out rules for free anymore.

----------

## Captain_Loser

I recommend using [url]bleedingsnort.com[/url] for all your updated rules.  I have had very good luck with their rules.  Just  be careful because they are bleeding edge rulesets.

----------

