Snort Rules Update

General questions.
Helios
Posts: 11
Joined: June 13th, 2013, 9:16 pm

Snort Rules Update

Post by Helios » June 16th, 2013, 7:54 pm

Does IPFire update Snort rules automatically or is this something that needs to be done manually?

5p9
Mentor
Mentor
Posts: 1860
Joined: May 1st, 2011, 3:27 pm

Re: Snort Rules Update

Post by 5p9 » June 16th, 2013, 8:00 pm

Hi,

manually.  ;)
I'm renew my list always one time in 2 month.

BG, 5p9
Mail Gateway: mail proxy

Image

Image

Helios
Posts: 11
Joined: June 13th, 2013, 9:16 pm

Re: Snort Rules Update

Post by Helios » June 16th, 2013, 8:44 pm

Thanks! 2 questions:

1) Is there a plan to automate this functionality in future versions of IPFire?
2) Is there a way to automate that functionality using a cron job?

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Snort Rules Update

Post by BeBiMa » June 17th, 2013, 9:25 am

5p9 wrote:I'm renew my list always one time in 2 month.

That's too seldom!
For IDS/IPS making sense, you have update it very recently.
Image
Unitymedia Cable Internet ( 32MBit )

5p9
Mentor
Mentor
Posts: 1860
Joined: May 1st, 2011, 3:27 pm

Re: Snort Rules Update

Post by 5p9 » June 17th, 2013, 9:30 am

really? but, the rules must always be reset. which is a bit annoying  ;)
thx for this info!

BG, 5p9

edit: Okay i see it (http://www.snort.org/vrt/):

<code>
Latest Advisories

    VRT Rules 2013-06-13
    VRT Rules 2013-06-11
    VRT Rules 2013-06-06
</code>
Last edited by Guest on June 17th, 2013, 9:36 am, edited 1 time in total.
Mail Gateway: mail proxy

Image

Image

User avatar
thomasmathiesen
Posts: 1
Joined: September 10th, 2013, 7:04 pm

Re: Snort Rules Update

Post by thomasmathiesen » September 10th, 2013, 7:13 pm

Can someone tell me the commandline for running a snort rule update and trigger a reload?
In case this is IPFire-specific, so that I don't break anything.

Then I'll just add a cronjob to carry out the task for me :)

Kind regards,  Med vennlig hilsen, Met vriendelijke groet,
Thomas Mathiesen
--
LinSpes.no
Web: www.linspes.no - www.openerp.no - www.vtiger.no
Email: thomas.mathiesen@linspes.no
Phone: +47 21 99 67 64 (Norway)
Mobile: +47 40 16 26 42 (Norway)

mimarcu
Posts: 49
Joined: July 27th, 2013, 8:38 pm

Re: Snort Rules Update

Post by mimarcu » October 19th, 2013, 6:00 am

i recently amended this to my feature request on the developers page check it out if you have a chance or any questions.  ;D

5p9
Mentor
Mentor
Posts: 1860
Joined: May 1st, 2011, 3:27 pm

Re: Snort Rules Update

Post by 5p9 » October 21st, 2013, 10:46 am

Hi thomasmathiesen,

Can someone tell me the commandline for running a snort rule update and trigger a reload?


i will looking in the next time for this command over the fcrontab-function. I need this, too.

5p9
Mail Gateway: mail proxy

Image

Image

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Snort Rules Update

Post by dnl » November 5th, 2013, 10:43 am

I'm very interested in automatic rule updates too.  An IDS is most effective when it has up-to-date rules, so I'm not sure why this feature isn't standard in IPFire!  (Was snort only added recently?!)


Currently Snort recommend using pulledpork but I see that the older, oinkmaster, is used by IPFire at present.

Here's a very temporary quick hack I put together for EmergingThreats only...

Save this to a new file called /etc/fcron.daily/snort-update so it can run daily:

Code: Select all

#!/bin/bash
# Automatically update snort rules daily, using oinkmaster
wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz

/usr/bin/perl -w /usr/local/bin/oinkmaster.pl -q -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules


This WILL BREAK when a new version of snort is released!  (It would be easy to write a script to check for the current version and update the URL but more thought needs to go in to this before doing that - like how to easily script downloading rules from Snort using an oinkcode too)
Last edited by dnl on November 5th, 2013, 10:47 am, edited 1 time in total.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

Garp
Posts: 127
Joined: July 8th, 2014, 7:38 am
Location: The Netherlands
Contact:

Re: Snort Rules Update

Post by Garp » September 2nd, 2014, 6:04 pm

Is there any update to this matter? A year has passed and i cannot imagine that the need for proper automatic snort rules updates has vanished.

Does this script still work correctly on core update 81?
Image
Provide some additional protection for the clients on your network in a few easy steps: viewtopic.php?f=27&t=12122&p=78219#p78219

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Snort Rules Update

Post by dnl » September 4th, 2014, 11:06 am

Yes, this thread is now old.

Somebody has written a better script than me in another thread (sorry can't find it right now).  However it's still a work-around.

I have no idea why the IPFire developers implemented Snort without putting in some kind of automated update.  Noting that an automated update really needs to use the Snort "PulledPork" script, not anything old!


EDIT: I have been considering putting together a significant IDS/IPS improvement proposal for the Wishlist.  However I've not had much time available and still need to research how best things should be done.

For one thing, IPFire could use a better IDS page in the web user interface, where rules could be toggled on and off properly (and permanently - even after updates).  The "IDS logs" page could have more options, like allowing you to acknowledge an alert (hiding it) add a note to an alert, or sort the alerts by priority and the like.  Instead of just treating them like another flat log file.

There's also some Guardian improvement to do, but XerXes has already started much of that in the Addons forum (I started an English thread for his changes).
Last edited by dnl on September 4th, 2014, 11:20 am, edited 1 time in total.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

User avatar
trymes
Posts: 663
Joined: February 9th, 2011, 4:10 pm
Location: New England, USA

Re: Snort Rules Update

Post by trymes » September 4th, 2014, 1:54 pm

dnl: I am confident that there is widespread support in the IPFire user community for the sorts of changes you are talking about.

Tom

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Snort Rules Update

Post by dnl » October 11th, 2014, 11:33 am

trymes wrote:dnl: I am confident that there is widespread support in the IPFire user community for the sorts of changes you are talking about.

Tom


Thanks!
I've been away for most of a month, but am still thinking of how it would be best to improve the IDS/IPS in IPFire.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

Garp
Posts: 127
Joined: July 8th, 2014, 7:38 am
Location: The Netherlands
Contact:

Re: Snort Rules Update

Post by Garp » October 16th, 2014, 8:27 am

Quick question; is anyone using pulledpork?

https://code.google.com/p/pulledpork/
Image
Provide some additional protection for the clients on your network in a few easy steps: viewtopic.php?f=27&t=12122&p=78219#p78219

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Snort Rules Update

Post by dnl » October 16th, 2014, 10:41 am

Garp wrote:Quick question; is anyone using pulledpork?

https://code.google.com/p/pulledpork/


I'm keen to hear also please!

I'm struggling to spend much time doing research in to Snort on IPFire, but I do want to implement pulledpork instead of the deprecated oinkmaster script.  IPFire really needs to update this, it will fix flowbits errors, amongst other things.  It's also the currently supported rule update method.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

Post Reply