Name

snort_updater — Update rule sets for configured Snort instances on a NST probe.

Synopsis

snort_updater [ -ncc [true]|false | --no-clear-cache [true]|false ] [ -h [true]|false | --help [true]|false ] [ -H [true]|false | --help-long [true]|false ] [ -v [true]|false | --verbose [true]|false ] [ --version [true]|false ]

Description

The snort_updater command will cycle through each configured Snort instance looking for a Snort updater configuration file to process. This configuration file contains special Keywords that define what Snort rule set URL resource sites to use for updating the Snort IDS alert signature rules.

The typical path name for a Snort updater configuration file is: /etc/snort_<INT>/snort_updater.conf. The allowed Keywords and their meaning are describe in Table 1, “Snort Updater Configuration Keywords”. The syntax for a Keyword Value entry is: [Keyword: Value].

Notes:

  • Keywords must start in the first column to be recognized.

  • A space character (" ") must separate the Keyword: from the Value.

  • Blank lines are ignored.

Table 1. Snort Updater Configuration Keywords

KeywordValue Description
INT

The network INTerface name associated with a configured Snort instance.

URS

Update Rule Site URL resource. One or more URS entries may exist. The URS entries establish the list of rule set bundles that are used to maintain the latest Snort IDS alert signature rules.

PRERELOADSCRIPT

The full path name to a custom user pre-reload script that will run once all Update Rule Site URL resources for a particular configured Snort instance have been downloaded and installed. An example use of this script would be to customize stock IDS signature rules prior to a Snort process rereading it's configuration file (i.e. reload). If this Keyword is commented out or set to the null string ("") it will be ignored.

Notes:

  • The environment variable: "SNORTUPDATERCONF" will be available to this custom user pre-reload script and set to the name of the current Snort updater configuration file being processed.

  • The environment variable: "SNORTUPDATERVERBOSE" will be available to this custom user pre-reload script signalling that verbose mode "-v or --verbose" was passed to the snort_updater_conf script.

RELOAD

Boolean value: "true" or "false". This Keyword determines if the running Snort instance will RELOAD its configuration and start using the latest Snort rule sets that were just updated. If a Snort instance is configured, but not running, this Keyword will be ignored.

POSTRELOADSCRIPT

The full path name to a custom user post-reload script that will run once a signal has been sent to a particular running Snort process for reloading it's configuration. An example use of this script would be to alert the network security staff via Email that the Snort IDS signatures have been successfully updated. If this Keyword is commented out or set to the null string (""), it will be ignored.

Notes:

  • The environment variable: "SNORTUPDATERCONF" will be available to this custom user post-reload script and set to the name of the current Snort updater configuration file being processed.

  • The environment variable: "SNORTRELOADSTATE" will be available to this custom user post-reload script and set to the result of signaling the running Snort process to "RELOAD" its configuration file. Possible result values are: "failure", "success" or "noreload" (i.e. "RELOAD" Keyword was set to "false").

  • The environment variable: "SNORTUPDATERVERBOSE" will be available to this custom user post-reload script signalling that verbose mode "-v or --verbose" was passed to the snort_updater_conf script.

#

This symbol: # is used to provide in-line comments.


The setup_snort command will be called by this snort_updater command script to perform the actual Snort rule set updates. Normally the snort_updater command script is run by the cron daemon.

A companion Snort updater configuration command: snort_updater_conf is used to manage the Snort updater configuration files and schedule the snort_updater command script to run via the cron facility either hourly or daily.

Below is an example of a Snort updater configuration file for a configured Snort instance associated with network interface: "eth3".

[root@probe ~]# cat /etc/snort_eth3/snort_updater.conf

##################################################################################
#
# Snort updater configuration file:

# Associated Snort network interface name:
INT: eth3

# Update rule site section:
URS: http://www.networksecuritytoolkit.org/snort/rules/nstpolicy.tar.gz
URS: http://www.bleedingsnort.com/bleeding.rules.tar.gz

# Custom user script run after all URS's have been downloaded and installed:
PRERELOADSCRIPT: /data1/snort/scripts/ids_update_policy_rule -d pol1

# Reload Snort process:
RELOAD: true

# Custom user script run after a Snort process reload has completed:
POSTRELOADSCRIPT: /data1/snort/scripts/ids_update_notification pkb@teramax.org rwh@teramax.org
##################################################################################

Options

The following command line options are available:

[-ncc [true]|false] | [--no-clear-cache [true]|false]

Use this option to disable clearing the Snort URL cache containing rule set update bundles. For NST probe systems that are configured with multiple snort instances, one can use this option to disable clearing the Snort rule set cache after all snort instances have been updated. The Snort rule set cache will still be cleared even if no Snort updater configuration files are found unless this option is set to disable clearing the Snort rule set cache.

[-h [true]|false] | [--help [true]|false]

When this option is specified, snort_updater will display a short one line description of snort_updater, followed by a short description of each of the supported command line options. After displaying this information snort_updater will terminate.

[-H [true]|false] | [--help-long [true]|false]

This option will attempt to pull up additional snort_updater documentation within a text based web browser. You can force which browser we use setting the environment variable TEXTBROWSER, otherwise, we will search for some common ones.

[-v [true]|false] | [--verbose [true]|false]

When you set this option to true, snort_updater will produce additional output. This is typically used for diagnostic purposes to help track down when things go wrong.

[--version [true]|false]

If this option is specified, the version number of the script is displayed.

Files

/etc/snort_<INT>/snort_updater.conf

Configuration file.

Environment

TEXTBROWSER

This controls what text based browser is used to display help information about the script. If not set, we will search your system for available text-based browsers (Ex: elinks, lynx ...).

See Also

Network Security Toolkit