snort_updater — Update rule sets for configured Snort instances on a NST probe.
snort_updater [
-ncc
[true]|false
| --no-clear-cache [true]|false
] [
-h
[true]|false
| --help [true]|false
] [
-H
[true]|false
| --help-long [true]|false
] [
-v
[true]|false
| --verbose [true]|false
] [ --version [true]|false
]
The snort_updater command will cycle through each configured Snort instance looking for a Snort updater configuration file to process. This configuration file contains special Keywords that define what Snort rule set URL resource sites to use for updating the Snort IDS alert signature rules.
The typical path name for a Snort updater configuration file
is:
/etc/snort_<INT>/snort_updater.conf. The
allowed Keywords and their meaning are
describe in Table 1, “Snort Updater Configuration Keywords”. The syntax
for a Keyword Value
entry is: [Keyword: Value].
Keywords must start in the first column to be recognized.
A space character (" ") must separate the Keyword: from the Value.
Blank lines are ignored.
Table 1. Snort Updater Configuration Keywords
| Keyword | Value Description |
|---|---|
| INT | The network INTerface name associated with a configured Snort instance. |
| URS |
Update Rule Site URL resource. One or more URS entries may exist. The URS entries establish the list of rule set bundles that are used to maintain the latest Snort IDS alert signature rules. |
| PRERELOADSCRIPT |
The full path name to a custom user pre-reload script that will run once all Update Rule Site URL resources for a particular configured Snort instance have been downloaded and installed. An example use of this script would be to customize stock IDS signature rules prior to a Snort process rereading it's configuration file (i.e. reload). If this Keyword is commented out or set to the null string ("") it will be ignored. Notes:
|
| RELOAD | Boolean value: "true" or "false". This Keyword determines if the running Snort instance will RELOAD its configuration and start using the latest Snort rule sets that were just updated. If a Snort instance is configured, but not running, this Keyword will be ignored. |
| POSTRELOADSCRIPT |
The full path name to a custom user post-reload script that will run once a signal has been sent to a particular running Snort process for reloading it's configuration. An example use of this script would be to alert the network security staff via Email that the Snort IDS signatures have been successfully updated. If this Keyword is commented out or set to the null string (""), it will be ignored. Notes:
|
| # | This symbol: # is used to provide in-line comments. |
The /usr/local/snort/setup_snort command will be called by this snort_updater command script to perform the actual Snort rule set updates. Normally the snort_updater command script is run by the cron daemon.
A companion Snort updater configuration command: snort_updater_conf is used to manage the Snort updater configuration files and schedule the snort_updater command script to run via the cron facility either hourly or daily.
Below is an example of a Snort updater configuration file for a configured Snort instance associated with network interface: "eth3".
[root@probe ~]#cat /etc/snort_eth3/snort_updater.conf################################################################################## # # Snort updater configuration file: # Associated Snort network interface name: INT: eth3 # Update rule site section: URS: http://www.networksecuritytoolkit.org/snort/rules/nstpolicy.tar.gz URS: http://www.bleedingsnort.com/bleeding.rules.tar.gz # Custom user script run after all URS's have been downloaded and installed: PRERELOADSCRIPT: /data1/snort/scripts/ids_update_policy_rule -d pol1 # Reload Snort process: RELOAD: true # Custom user script run after a Snort process reload has completed: POSTRELOADSCRIPT: /data1/snort/scripts/ids_update_notification pkb@teramax.org rwh@teramax.org ##################################################################################
The following command line options are available:
-ncc [true]|false] | [--no-clear-cache [true]|false]
Use this option to disable clearing the Snort URL cache containing rule set update bundles. For NST probe systems that are configured with multiple snort instances, one can use this option to disable clearing the Snort rule set cache after all snort instances have been updated. The Snort rule set cache will still be cleared even if no Snort updater configuration files are found unless this option is set to disable clearing the Snort rule set cache.
-h [true]|false] | [--help [true]|false]
When this option is specified, snort_updater will display a short one line description of snort_updater, followed by a short description of each of the supported command line options. After displaying this information snort_updater will terminate.
-H [true]|false] | [--help-long [true]|false]
This option will attempt to pull up additional
snort_updater documentation within a text based
web browser. You can force which browser we use setting the
environment variable TEXTBROWSER, otherwise,
we will search for some common ones.
-v [true]|false] | [--verbose [true]|false]
When you set this option to true, snort_updater will produce additional output. This is typically used for diagnostic purposes to help track down when things go wrong.
--version [true]|false]
If this option is specified, the version number of the script is displayed.
/usr/local/bin/snort_updater, /usr/local/bin/snort_update_conf, /usr/local/snort/setup_snortAssociated scripts.
/etc/snort_<INT>/snort_updater.confConfiguration file.