snort_updater_conf — Configure and schedule rule set updates for the Snort IDS.
snort_updater_conf [
-m
ENTRY
| --mode ENTRY
] [
-il
LIST
| --interface-list LIST
] [
-urs
URL
| --update-rules-site URL
] [
-s
ENTRY
| --schedule ENTRY
] [
-l
ENTRY
| --list-type ENTRY
] [
-r
[true]|false
| --reload [true]|false
] [
-pre
PATH
| --pre-reload PATH
] [
-post
PATH
| --post-reload PATH
] [
-h
[true]|false
| --help [true]|false
] [
-H
[true]|false
| --help-long [true]|false
] [
-v
[true]|false
| --verbose [true]|false
] [ --version [true]|false
]
The snort_updater_conf is used with the NST distribution to manage the configuration and scheduling of rule set updates for the Snort IDS.
The snort_updater_conf will create a Snort update configuration file (--mode add) associated with a configured Snort instance for processing by the snort_updater script. Once created, one can then apply a schedule (--mode schedule) for automatic running of the snort_updater script via the crond facility.
The typical path name for a Snort updater configuration file
is:
/etc/snort_<INT>/snort_updater.conf. The
allowed Keywords and their meaning are
describe in Table 1, “Snort Updater Configuration Keywords”. The syntax for
a Keyword Value entry
is: [Keyword: Value].
Keywords must start in the first column to be recognized.
A space character (" ") must separate the Keyword: from the Value.
Blank lines are ignored.
Table 1. Snort Updater Configuration Keywords
| Keyword | Value Description |
|---|---|
| INT | The network INTerface name associated with a configured Snort instance. |
| URS |
Update Rule Site URL resource. One or more URS entries may exist. The URS entries establish the list of rule set bundles that are used to maintain the latest Snort IDS alert signature rules. |
| PRERELOADSCRIPT |
The full path name to a custom user pre-reload script that will run once all Update Rule Site URL resources for a particular configured Snort instance have been downloaded and installed. An example use of this script would be to customize stock IDS signature rules prior to a Snort process rereading it's configuration file (i.e. reload). If this Keyword is commented out or set to the null string ("") it will be ignored. Notes:
|
| RELOAD | Boolean value: "true" or "false". This Keyword determines if the running Snort instance will RELOAD its configuration and start using the latest Snort rule sets that were just updated. If a Snort instance is configured, but not running, this Keyword will be ignored. |
| POSTRELOADSCRIPT |
The full path name to a custom user post-reload script that will run once a signal has been sent to a particular running Snort process for reloading it's configuration. An example use of this script would be to alert the network security staff via Email that the Snort IDS signatures have been successfully updated. If this Keyword is commented out or set to the null string (""), it will be ignored. Notes:
|
| # | This symbol: # is used to provide in-line comments. |
The examples below show how to use the snort_updater_conf script:
Example 1. Snort Updater Configuration File Creation
This example creates a Snort updater configuration file:
"/etc/snort_eth3/snort_updater.conf" for
a configured Snort instance associated with network interface:
"eth3".
[root@probe ~]# snort_updater_conf --mode add --interface-list "eth3" \
--update-rules-site "http://www.networksecuritytoolkit.org/snort/rules/nstpolicy.tar.gz" \
--update-rules-site "http://www.bleedingsnort.com/bleeding.rules.tar.gz" \
--reload "true" --pre-reload "/data1/snort/scripts/ids_update_policy_rule -d pol1" \
--post-reload "/data1/snort/scripts/ids_update_notification pkb@teramax.org rwh@teramax.org"
[root@probe ~]#cat /etc/snort_eth3/snort_updater.conf################################################################################## # # Snort updater configuration file: # Associated Snort network interface name: INT: eth3 # Update rule site section: URS: http://www.networksecuritytoolkit.org/snort/rules/nstpolicy.tar.gz URS: http://www.bleedingsnort.com/bleeding.rules.tar.gz # Custom user script run after all URS's have been downloaded and installed: PRERELOADSCRIPT: /data1/snort/scripts/ids_update_policy_rule -d pol1 # Reload Snort process: RELOAD: true # Custom user script run after a Snort process reload has completed: POSTRELOADSCRIPT: /data1/snort/scripts/ids_update_notification pkb@teramax.org rwh@teramax.org ##################################################################################
Example 2. Snort Updater Configuration File Modification
This example modifies the Snort updater configuration file:
"/etc/snort_eth3/snort_updater.conf" for
a configured Snort instance associated with network interface:
"eth3". It will add a new
URS resource and
change the reload state.
[root@probe ~]# snort_updater_conf --mode add --interface-list "eth3" \
--update-rules-site "http://www.networksecuritytoolkit.org/snort/rules/nstvirus.tar.gz" \
--reload "false"
[root@probe ~]#cat /etc/snort_eth3/snort_updater.conf################################################################################## # # Snort updater configuration file: # Associated Snort network interface name: INT: eth3 # Update rule site section: URS: http://www.networksecuritytoolkit.org/snort/rules/nstpolicy.tar.gz URS: http://www.bleedingsnort.com/bleeding.rules.tar.gz URS: http://www.networksecuritytoolkit.org/snort/rules/nstvirus.tar.gz # Custom user script run after all URS's have been downloaded and installed: PRERELOADSCRIPT: /data1/snort/scripts/ids_update_policy_rule -d pol1 # Reload Snort process: RELOAD: false # Custom user script run after a Snort process reload has completed: POSTRELOADSCRIPT: /data1/snort/scripts/ids_update_notification pkb@teramax.org rwh@teramax.org ##################################################################################
Example 3. Snort Updater Configuration File Disable RELOAD
This example disables the reload state (i.e. sets it to "false") for all existing Snort update configuration files.
[root@probe ~]# snort_updater_conf --mode add --reload "false"
Example 4. Snort Updater Configuration URS Deletion
This example will remove the
URS Snort rule set
update resource site
"http://www.bleedingsnort.com/bleeding.rules.tar.gz"
from the Snort updater configuration file:
"/etc/snort_eth1/snort_updater.conf"
found with the configured Snort instance associated with
network interface: "eth1".
[root@probe ~]# snort_updater_conf --mode delete --interface-list "eth1" \
--update-rules-site "http://www.bleedingsnort.com/bleeding.rules.tar.gz"
Example 5. Snort Updater Configuration PRE-RELOAD Deletion
This example will remove the "pre-reload" script from configured Snort instance associated with network interface: "eth0".
[root@probe ~]# snort_updater_conf --mode delete --interface-list "eth0" --pre-reload "REMOVE"
Example 6. Snort Updater Configuration File Deletion
This example will remove the entire Snort updater
configuration file:
"/etc/snort_eth3/snort_updater.conf" from
the configured Snort instance associated with network interface:
"eth3".
[root@probe ~]# snort_updater_conf --mode delete --interface-list "eth3" --verbose
Example 7. Snort Updater Schedule: "Daily"
This example will create a crontab entry to run the
"snort_updater" script daily at
04:02 for configured Snort instances with
an associated "snort_updater.conf"
file. If the cron facility (i.e. crond
service) was not running it will be started.
[root@probe ~]# snort_updater_conf --mode schedule --schedule "daily" --verbose
Example 8. Snort Updater Schedule: "Clear"
This example will clear all "snort_updater" scripts from running via the cron facility.
[root@probe ~]# snort_updater_conf --mode schedule --schedule "clear" --verbose
Clearing the "snort_updater" scripts from the cron facility will not stop the crond service.
The following command line options are available:
-m ENTRY] | [--mode ENTRY]
This option controls what the
snort_updater_conf script will do. The following
modes are available: ("list",
"add", "delete", and
"schedule"). If you specify
"list" (the default), it will list the
current configured Snort rule set updates and schedule for all
configued Snort instances or optionally for a selected
interface name list ("--interface-list
interface-list"). Use the
"--list-type" option for further
granularity of display output. Specify
"add" to configure a new update
URS Snort rule set
resource site, a "reload" state, a
"pre-reload" script or a
"post-reload" script for one or more
configured Snort instances. Specify
"delete" to remove a configured update
URS Snort rule set
resource site, a "pre-reload" script or a
"post-reload" script from one or more
configured Snort instances. The "delete"
mode can also be used to remove an entire
"snort_updater.conf" configuration file
if no other options are specified. Specify
"schedule" for automation of Snort rule set
updates on an hourly, daily, weekly or monthly basis using the
snort_updater script and
crond facility.
-il LIST] | [--interface-list LIST]
A selected list of network interface names associated with one or more configured Snort instances for Snort rule set update configuration. If this parameter is not selected, all network interfaces associated with all configured Snort instances will be assumed. The interface name list is a comma or space separated list of interface names associated with already configured Snort instances (Ex: "eth0, eth1 eth5 ath0"). The interface name list should be enclosed in double quotes ("") if more than one interface name is used.
-urs URL] | [--update-rules-site URL]
This option can be used one or more times to
specify the "URL" of a Snort rule set site
for rule set updates to one or more configured Snort
instances. Use this option in conjunction with operational
modes: "--mode add" when adding a new
URL site or "--mode
delete" for removal of a URL
site. The update rule set file must be in a gzipped tar file
format: "Ex: rules.tar.gz". The update
rule set file will be uncompressed and put into the
appropriate runtime rules directory for the configured Snort
instance using the "setup_snort
--update-rules" script.
-s ENTRY] | [--schedule ENTRY]
This option controls the scheduled frequency that
the snort_updater script will run via the
crond facility. Use this option in
conjunction with the "--mode schedule"
operational mode. The following update periods are available:
("daily", "hourly",
"weekly", "monthly" and
"clear"). If you specify
"hourly", the
snort_updater script will run at
1 minute past each hour. If you specify
"daily" the
snort_updater script will run daily at
04:02. If you specify
"weekly" the
snort_updater script will run on
Sunday at 04:22. If
you specify "monthly" the
snort_updater script will run on
the first day of each month at
04:42. You can specify
"clear" to remove the
snort_updater script as a
cron entry and it will no longer be
scheduled to run.
-l ENTRY] | [--list-type ENTRY]
This option controls the format of the list output
to used. Use this option in conjunction with the
"--mode list" operational mode. The
following list types are available:
("schedule", "config",
and "all"). If you specify
"schedule", only the current schedule
information will be displayed. If you specify
"config", only the current configuration
for interfaces defined by the
"--interface-list" option will be
displayed. If you specify "all" (the
default), both the schedule and configuration information will
be displayed. If no "--list-type" is used
in conjunction with the "--mode list"
operational mode, the "--list-type":
"all" will be assumed.
-r [true]|false] | [--reload [true]|false]
If "true" this option will enable a running
Snort instance to "reload" its
configuration and start using the latest Snort rule sets that
were just updated. Use this option in conjunction with
operational mode: "--mode add". It is good
practice to set this option each time you use the
"--mode add" opertional mode.
-pre PATH] | [--pre-reload PATH]
This option controls the configuration of a custom user script
that can run after all Snort rule set updates have been
downloaded and installed for a configued Snort instance but
prior to a Snort process "reload". Use
this option in conjunction with operational mode:
"--mode add" for adding a new script or use
mode: "--mode delete" with the special PATH
name "REMOVE" (i.e. "--pre-reload
REMOVE") for deletion of a prior script. Enter the
full path name to this custom user
"pre-reload" script. An example use of this
option would be a script to customize stock IDS signature
rules for a particular environment prior to a Snort process
rereading it's configuration file
(i.e. "reload").
-post PATH] | [--post-reload PATH]
This option controls the configuration of a custom user script
that can run after the Snort process
"reload". Use this option in conjunction
with operational mode: "--mode add" for
adding a new script or use mode: "--mode
delete" with the special PATH name
"REMOVE" (i.e. "--post-reload
REMOVE") for deletion of a prior script. Enter the
full path name to this custom user
"post-reload" script. An example use of
this option would be a script to alert the security
administration staff that Snort rule set updates have been
completed.
-h [true]|false] | [--help [true]|false]
When this option is specified, snort_updater_conf will display a short one line description of snort_updater_conf, followed by a short description of each of the supported command line options. After displaying this information snort_updater_conf will terminate.
-H [true]|false] | [--help-long [true]|false]
This option will attempt to pull up additional
snort_updater_conf documentation within a text based
web browser. You can force which browser we use setting the
environment variable TEXTBROWSER, otherwise,
we will search for some common ones.
-v [true]|false] | [--verbose [true]|false]
When you set this option to true, snort_updater_conf will produce additional output. This is typically used for diagnostic purposes to help track down when things go wrong.
--version [true]|false]
If this option is specified, the version number of the script is displayed.