Snort Rules Update

General questions.
Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Snort Rules Update

Post by Edwin » April 15th, 2018, 9:08 am

Hi H&M,

The VRT and ET rules I choose in the WebIF match exactly with the include lines in snort.conf.
Isn't that okay?

Regards,
Edwin.
Image
Image

User avatar
H&M
Posts: 430
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Snort Rules Update

Post by H&M » April 15th, 2018, 11:58 am

See the bug above: the web interface skips some rule files...
You have to add missing rules by hand in snort.conf and never ever use web interface again...

Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Snort Rules Update

Post by Edwin » April 15th, 2018, 12:46 pm

Ah, now I see.
The WebIF doesn't get a proper update of all rules that exists in /etc/snort/rules.
Thanks for pointing that out!

edit:
When I update the snort.conf with a missing rule, the WebIF gets updated.

Regards,
Edwin.
Image
Image

Razorback
Posts: 64
Joined: December 18th, 2014, 4:13 pm

Re: Snort Rules Update

Post by Razorback » April 15th, 2018, 3:42 pm

I Guys,

excuse me for bumping in unexpectedly.

So I update using Emergingthreats ruleset, if I check on, lets say the Trojan checkbox I get to see a bunch of checked and unchecked rules. Manually checking the rules one after the other is pretty time consuming and a pain.

Is there an easier way of getting the job done ?

Greetz
Rzrbck

TimF
Posts: 29
Joined: June 10th, 2017, 7:27 pm

Re: Snort Rules Update

Post by TimF » April 15th, 2018, 4:49 pm

I'm having a look at the problem of preserving changes in the list of enabled and disabled rules over an update. Obviously this is a non-trivial problem (or it would already be in IPFire), but I think I've got an approach that will work, and the initial code is looking promising.

There's quite a bit of work still to do (and more urgent things to demand my attention) so it's likely to be a few weeks before a can post so code.

Razorback
Posts: 64
Joined: December 18th, 2014, 4:13 pm

Re: Snort Rules Update

Post by Razorback » April 17th, 2018, 9:22 am

Priorities have too be set but I'm sure its worth the wait. Anyway thats really good news. ;)

Thank you from my side. :)

gitarman94
Posts: 6
Joined: March 17th, 2018, 1:37 pm
Location: US

Re: Snort Rules Update

Post by gitarman94 » April 19th, 2018, 4:48 pm

Hey All, really glad to see all the work being done on this topic. Also, sorry about the code fubar on the ppp0 thing, I didn't realize that the ppp setup used a different PID (I don't use PPP here, didn't know to test that). I've been making incremental updates to the code and stealing from other updates posted as well. I'm throwing another updated blob of code out there for those who want it, and or other coders to take from it and use what they will to make better. I've been testing this iteration of the below for a couple weeks now and have had no issues. I can't PM on this site, but if anyone wants to collaborate on this project "offline", just let me know.

Code: Select all

#!/usr/bin/perl
#################################
# Snort Rules Update for IPFire #
# ----- Contributions by: ----- #
# --------- Kick@ss ----------- #
# ----------- H&M ------------- #
# -------- gitarman94 --------- #
#################################

use autodie ':io';
use LWP::Simple;
use strict;
use warnings;
use HTTP::Request;
use LWP::UserAgent;

my $Version = `snort -V 2>&1 | grep 'Version'`;
my ($local_vrt_v) = $Version =~ m/(\d+\.[\d\.]*)/;
$local_vrt_v =~ s/\.//g;
my $oinkcode='none';
my $Snort_Orange = 0;
my $Snort_BLUE = 0;
my $Snort_GREEN = 0;
my $Snort_Active = 0;
my $url = '';
getSnortSettings();
my $currentWebSnortVersion;
if ($oinkcode !~ m/none/)
{
    my $snortList = webGet('https://snort.org/downloads/registered/md5s.txt');
    $currentWebSnortVersion = webSnortParse($snortList);#iteration through list and sets this var to current sub-point release number from websit
};
my $currentLocalETVersion = readFile("/var/tmp/ETVersion.txt"); #itterate through local file to get currently installed ET version
my $ETList = webGet('https://rules.emergingthreats.net/version.txt');
my $ETSnortVersion = webGet('http://rules.emergingthreats.net/open/');
my $currentWebETVersion = webETParse();
parseETPrimary();
versionComparer();
verifySnortIsRunning();
exit(0);

sub parseETPrimary
{
  my $tempET;
  while ($ETSnortVersion =~ m/(snort-\d+\.\d+\.\d+\.*)/g)
  {
    $tempET = $1;
    last;
  }
  $ETSnortVersion = $tempET;
}

sub getSnortSettings
{
  open my $fh, '<', "/var/ipfire/snort/settings"; #open file
  while (my $line = <$fh>) #itterate throught the file line by line
  {
      if ($line =~ m/ENABLE/ | $line =~ m/OINKCODE/) #only cares about lines that have the word 'ENABLE' in them
      {
          if ($line =~ m/ORANGE/) #looking for orange settings
          {
              my @lineItems = split('[=]',$line);
              if ($lineItems[1] =~ m/on/) #if the setting is "on"
              {
                  $Snort_Orange = 1; #default is 0 but if orange is enabled then make it so
              }
          }
          elsif ($line =~ m/BLUE/) #looking for blue settings
          {
              my @lineItems = split('[=]',$line);
              if ($lineItems[1] =~ m/on/) #if the setting is "on"
              {
                  $Snort_BLUE = 1; #default is 0 but if blue is enabled then make it so
              }
          }
          elsif ($line =~ m/GREEN/) #looking for green settings
          {
              my @lineItems = split('[=]',$line);
              if ($lineItems[1] =~ m/on/) #if the setting is "on"
              {
                  $Snort_GREEN = 1; #default is 0 but if green is enabled then make it so
              }
          }
          elsif ($line =~ m/OINKCODE/) #get oinkcode from within the settings file automatically
          {
              my @lineItems = split('[=]',$line);
              if (length($lineItems[1]) == 41) #get the length and match to the 41 character string it should be, if not proper length, then it's not a real oinkcode
              {
                  $oinkcode = $lineItems[1];
              }
              elsif ((length($lineItems[1]) > 2 && length($lineItems[1]) < 41) || length($lineItems[1]) > 41)
              {
                system("logger -t SnortUpdate 'WARNING: OINKCODE appears to be of incorrect length.'");
              }
          }
          else
          {
              my @lineItems = split('[=]',$line);
              if ($lineItems[1] =~ m/on/) #if the setting is "on"
              {
                  $Snort_Active = 1; #default is 0 but if red is enabled then make it so
              }
          }
      }
  }
  close $fh;
}

sub webGet
{ #used to http query snort for current version of version 2
    my $url = shift;
    my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0 }, );
    my $request = HTTP::Request->new(GET => $url);
    my $response = $ua->request($request);
    if ($response->is_success)
    {
        return $response->content; #returns list found on above site
    }
}

sub webETParse
{
    chomp $ETList; #remove extra line/spaces
    return $ETList;
}

sub webSnortParse
{  #Itterator to split and parse and get the snort version via the MD5 website
    my $snortList = shift;
    my $current_md5;

    foreach my $line (split( '  ', $snortList))
    {
      chomp $line;
      next unless ($line);
      my ($md5, $file) = split( ' ', $line );
      sleep(.2); #each of these pauses is to allow for time to generate the vars above, sometimes it out paces the creation
      my ($vstring, $Vjunk1, $Vjunk2) = split( '[.]', $file );
      sleep(.2);
      my ($Sjunk1, $Sjunk2, $vnum) = split( '-', $vstring );
      sleep(.2);
      $vnum =~ s/\.//g;
      return $vnum;
    }
}

sub readFile
{
    my $localFile = shift; #we're passing a variable into the subroutine, this sets it to a local variable
    my $currentLocalVersion = 0; #default value, in case we don't find the file
    if (-e $localFile)
    {
        open my $fh, '<', $localFile; #open file
        while (my $row = <$fh>) #itterate throught the file line by line (if multiple)
        {
            chomp $row; #removes empty lines and takes only good data
            $currentLocalVersion = $row; #should only be 1 line in the file so we'll take whatever it gives us
        }
        close $fh;
    }
    return $currentLocalVersion;
}


sub versionComparer
{ #now we test that above WebVersions against our local versions, if newer we'll update
      # VRT Community
          #$url=" https://www.snort.org/rules/community";
      #EmergingThreats Community
          #$url="http://rules.emergingthreats.net/open/$ETSnortVersion/emerging.rules.tar.gz";
      # VRT Subscripted & VRT Community
          #$url="https://www.snort.org/rules/snortrules-snapshot-$currentWebSnortVersion.tar.gz?oinkcode=$oinkcode\n https://www.snort.org/rules/community";
      # VRT Subscripted & EmergingThreats Community
          #$url="https://www.snort.org/rules/snortrules-snapshot-$currentWebSnortVersion.tar.gz?oinkcode=$oinkcode\n http://rules.emergingthreats.net/open/$ETSnortVersion/emerging.rules.tar.gz";
      my $performUpdate = 1;
      #We're testing for " !~ m/none/ " in the oinkcode section, as if we don't have a valid code, no point in running them
      if ($oinkcode !~ m/none/ && $currentWebSnortVersion gt $local_vrt_v && $currentWebETVersion gt $currentLocalETVersion)
      { #updates both snort registered and EmergingThreats
          $url = "https://www.snort.org/rules/snortrules-snapshot-$currentWebSnortVersion.tar.gz?oinkcode=$oinkcode\n http://rules.emergingthreats.net/open/$ETSnortVersion/emerging.rules.tar.gz";
      }
      elsif ($oinkcode !~ m/none/ && $currentWebSnortVersion gt $local_vrt_v && $currentWebETVersion le $currentLocalETVersion)
      { #updates only snort registered
          $url = "https://www.snort.org/rules/snortrules-snapshot-$currentWebSnortVersion.tar.gz?oinkcode=$oinkcode";
      }
      elsif ($currentWebETVersion gt $currentLocalETVersion)
      { #updates only emergingthreats
          $url = "http://rules.emergingthreats.net/open/$ETSnortVersion/emerging.rules.tar.gz";
      }
      else
      { #no updates are performed as there were no newer versions available
        $performUpdate = 0;
      }

      if ($performUpdate == 1 && runUpdate() == 1)
      { #only runs if there are updates available and the updater itself ran without error
          writeFile(); #write the latest version to local files so we now know we have the latest
          #performing these system tasks from here, as we don't want to restart the snort service if we don't have to
          system("logger -t SnortUpdate 'SnortUpdate finished.'");
          system("logger -t SnortUpdate 'Changing ownership for rule files...'");
          system("chown -R nobody:nobody /etc/snort/rules");
          system("logger -t SnortUpdate 'Ownership permissions updated.'");
          system("logger -t SnortUpdate 'Restarting Snort...'");
          system("/usr/local/bin/snortctrl restart");
      }
      else
      {
        system("logger -t SnortUpdate 'No updates found.'");
        print "No updates found.\n";
      }
}

sub writeFile
{
  open my $fh2, '>', "/var/tmp/ETVersion.txt"; #open file for writing
  print $fh2 "$currentWebETVersion"; #actually write to file
  close $fh2; #close file
}

sub runUpdate
{
  my @df = `/bin/df /var`; #runs system command to get HD size and free disk space
  foreach my $line (@df) #multiple lines are returned, need to loop through them
  {
        my $errormessage = '';
        next if $line =~ m/^Filesystem/; #skips lines that have the word "Filesystem", meaning it's a header line
        my $return;

        if ($line =~ m/dev/) #only cares about lines that have the word 'dev' in them
        {
              my @temp = split(/\s+/,$line); #split the line at the spaces
              if ($temp[3]<300000) #Third value is free space, need 300MB
              {
                  $errormessage = "Not enough disk space, less then 300MB is available";
                  system("logger -t SnortUpdate 'Error encountered while update database: $errormessage'");
                  return 2;
              }
              else
              {
                  my @lns=split('\n',$url); #splitting at a new line and setting the URL to a variable
                  foreach my $l (@lns) #if more than 1 then we just loop
                  {
                      chomp $l;
                      print "Update found!\n";
                      print "Downloading... $l \n";
                      sleep(1);
                      system("logger -t SnortUpdate 'Download start for: $l'");
                      system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $l");
                      sleep(3);
                      $return = `cat /var/tmp/log 2>/dev/null`;

                      if ($return =~ "ERROR")
                      {
                          $errormessage = $return;
                          system("logger -t SnortUpdate 'Error prevented the download: $errormessage'");
                          print $errormessage;
                          return 2;
                      }
                      else
                      {
                          system("logger -t SnortUpdate 'Processing rules downloaded...'");
                          system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >/var/tmp/log 2>&1 &");
                          sleep(2);
                          system("logger -t SnortUpdate 'Update Successfull for $l'");
                          print "Update Successfull for $l\n";
                      }
                  }
              }
          }
      }
      return 1;
}

sub verifySnortIsRunning
{
    system("logger -t SnortUpdate 'Verifying Snort is running...'");

    if (($Snort_Orange == 1 && ! -e "/var/run/snort_orange0.pid") |
    ($Snort_BLUE == 1 && ! -e "/var/run/snort_blue0.pid") |
    ($Snort_GREEN == 1 && ! -e "/var/run/snort_green0.pid") |
    ($Snort_Active == 1 && (! -e "/var/run/snort_red0.pid" && ! -e "/var/run/snort_ppp0.pid")))
    { #if any of the services are enabled and are not started, go ahead and start them 'cause peeps be creepin'
        system("/usr/local/bin/snortctrl restart"); #start command... it knows what to do
    }
}

gitarman94
Posts: 6
Joined: March 17th, 2018, 1:37 pm
Location: US

Re: Snort Rules Update

Post by gitarman94 » April 26th, 2018, 4:53 pm

Oii... new issue as of Tuesday... the snort website changed slightly so how were were doing a version check all of a sudden failed to work properly. Found a better way of iterating through the version lists that they give us and this next code update appears to be working now. We REALLY need to get some kind of update process going on here... posting code like this is a bit ridiculous. Anyone know how to create a pakfire package??

Code: Select all

#!/usr/bin/perl
#################################
# Snort Rules Update for IPFire #
# ----- Contributions by: ----- #
# --------- Kick@ss ----------- #
# ----------- H&M ------------- #
# -------- gitarman94 --------- #
#################################

use autodie ':io';
use LWP::Simple;
use strict;
use warnings;
use HTTP::Request;
use LWP::UserAgent;

my $Version = `snort -V 2>&1 | grep 'Version'`;
my ($local_vrt_v) = $Version =~ m/(\d+\.[\d\.]*)/;
$local_vrt_v =~ s/\.//g;
my $oinkcode='none';
my $Snort_Orange = 0;
my $Snort_BLUE = 0;
my $Snort_GREEN = 0;
my $Snort_Active = 0;
my $url = '';
getSnortSettings();
my $currentWebSnortVersion;
if ($oinkcode !~ m/none/)
{
    my $snortList = webGet('https://snort.org/downloads/registered/md5s.txt');
    $currentWebSnortVersion = webSnortParse($snortList);#iteration through list and sets this var to current sub-point release number from websit
};
my $currentLocalETVersion = readFile("/var/tmp/ETVersion.txt"); #itterate through local file to get currently installed ET version
my $ETList = webGet('https://rules.emergingthreats.net/version.txt');
my $ETSnortVersion = webGet('http://rules.emergingthreats.net/open/');
my $currentWebETVersion = webETParse();
parseETPrimary();
versionComparer();
verifySnortIsRunning();
exit(0);

sub parseETPrimary
{
  my $tempET;
  while ($ETSnortVersion =~ m/(snort-\d+\.\d+\.\d+\.*)/g)
  {
    $tempET = $1;
    last;
  }
  $ETSnortVersion = $tempET;
}

sub getSnortSettings
{
  open my $fh, '<', "/var/ipfire/snort/settings"; #open file
  while (my $line = <$fh>) #itterate throught the file line by line
  {
      if ($line =~ m/ENABLE/ | $line =~ m/OINKCODE/) #only cares about lines that have the word 'ENABLE' in them
      {
          if ($line =~ m/ORANGE/) #looking for orange settings
          {
              my @lineItems = split('[=]',$line);
              if ($lineItems[1] =~ m/on/) #if the setting is "on"
              {
                  $Snort_Orange = 1; #default is 0 but if orange is enabled then make it so
              }
          }
          elsif ($line =~ m/BLUE/) #looking for blue settings
          {
              my @lineItems = split('[=]',$line);
              if ($lineItems[1] =~ m/on/) #if the setting is "on"
              {
                  $Snort_BLUE = 1; #default is 0 but if blue is enabled then make it so
              }
          }
          elsif ($line =~ m/GREEN/) #looking for green settings
          {
              my @lineItems = split('[=]',$line);
              if ($lineItems[1] =~ m/on/) #if the setting is "on"
              {
                  $Snort_GREEN = 1; #default is 0 but if green is enabled then make it so
              }
          }
          elsif ($line =~ m/OINKCODE/) #get oinkcode from within the settings file automatically
          {
              my @lineItems = split('[=]',$line);
              if (length($lineItems[1]) == 41) #get the length and match to the 41 character string it should be, if not proper length, then it's not a real oinkcode
              {
                  $oinkcode = $lineItems[1];
              }
              elsif ((length($lineItems[1]) > 2 && length($lineItems[1]) < 41) || length($lineItems[1]) > 41)
              {
                system("logger -t SnortUpdate 'WARNING: OINKCODE appears to be of incorrect length.'");
              }
          }
          else
          {
              my @lineItems = split('[=]',$line);
              if ($lineItems[1] =~ m/on/) #if the setting is "on"
              {
                  $Snort_Active = 1; #default is 0 but if red is enabled then make it so
              }
          }
      }
  }
  close $fh;
}

sub webGet
{ #used to http query snort for current version of version 2
    my $url = shift;
    my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0 }, );
    my $request = HTTP::Request->new(GET => $url);
    my $response = $ua->request($request);
    if ($response->is_success)
    {
        return $response->content; #returns list found on above site
    }
}

sub webETParse
{
    chomp $ETList; #remove extra line/spaces
    return $ETList;
}

sub webSnortParse
{  #Itterator to split and parse and get the snort version via the MD5 website
    my $snortList = shift;
    my $current_md5;
    my $vnum = 0;
    foreach my $line (split('\n',$snortList))
    {
      chomp $line;
      next unless ($line);
      my @file = split(/\s+/, $line );
      my @vstring = split( '[.]', $file[2], 2 );
      my $testfile = $vstring[0];
      my @vnumCompare = split( '-', $vstring[0] );
      my $vnumer = $vnumCompare[2];
      $vnumer =~ s/\.//g;
      if ($vnumer > $vnum)
      {
        $vnum = $vnumer;
      }
    }
    return $vnum;
}

sub readFile
{
    my $localFile = shift; #we're passing a variable into the subroutine, this sets it to a local variable
    my $currentLocalVersion = 0; #default value, in case we don't find the file
    if (-e $localFile)
    {
        open my $fh, '<', $localFile; #open file
        while (my $row = <$fh>) #itterate throught the file line by line (if multiple)
        {
            chomp $row; #removes empty lines and takes only good data
            $currentLocalVersion = $row; #should only be 1 line in the file so we'll take whatever it gives us
        }
        close $fh;
    }
    return $currentLocalVersion;
}


sub versionComparer
{ #now we test that above WebVersions against our local versions, if newer we'll update
      # VRT Community
          #$url=" https://www.snort.org/rules/community";
      #EmergingThreats Community
          #$url="http://rules.emergingthreats.net/open/$ETSnortVersion/emerging.rules.tar.gz";
      # VRT Subscripted & VRT Community
          #$url="https://www.snort.org/rules/snortrules-snapshot-$currentWebSnortVersion.tar.gz?oinkcode=$oinkcode\n https://www.snort.org/rules/community";
      # VRT Subscripted & EmergingThreats Community
          #$url="https://www.snort.org/rules/snortrules-snapshot-$currentWebSnortVersion.tar.gz?oinkcode=$oinkcode\n http://rules.emergingthreats.net/open/$ETSnortVersion/emerging.rules.tar.gz";
      my $performUpdate = 1;
      #We're testing for " !~ m/none/ " in the oinkcode section, as if we don't have a valid code, no point in running them
      if ($oinkcode !~ m/none/ && $currentWebSnortVersion gt $local_vrt_v && $currentWebETVersion gt $currentLocalETVersion)
      { #updates both snort registered and EmergingThreats
          $url = "https://www.snort.org/rules/snortrules-snapshot-$currentWebSnortVersion.tar.gz?oinkcode=$oinkcode\n http://rules.emergingthreats.net/open/$ETSnortVersion/emerging.rules.tar.gz";
      }
      elsif ($oinkcode !~ m/none/ && $currentWebSnortVersion gt $local_vrt_v && $currentWebETVersion le $currentLocalETVersion)
      { #updates only snort registered
          $url = "https://www.snort.org/rules/snortrules-snapshot-$currentWebSnortVersion.tar.gz?oinkcode=$oinkcode";
      }
      elsif ($currentWebETVersion gt $currentLocalETVersion)
      { #updates only emergingthreats
          $url = "http://rules.emergingthreats.net/open/$ETSnortVersion/emerging.rules.tar.gz";
      }
      else
      { #no updates are performed as there were no newer versions available
        $performUpdate = 0;
      }

      if ($performUpdate == 1 && runUpdate() == 1)
      { #only runs if there are updates available and the updater itself ran without error
          writeFile(); #write the latest version to local files so we now know we have the latest
          #performing these system tasks from here, as we don't want to restart the snort service if we don't have to
          system("logger -t SnortUpdate 'SnortUpdate finished.'");
          system("logger -t SnortUpdate 'Changing ownership for rule files...'");
          system("chown -R nobody:nobody /etc/snort/rules");
          system("logger -t SnortUpdate 'Ownership permissions updated.'");
          system("logger -t SnortUpdate 'Restarting Snort...'");
          system("/usr/local/bin/snortctrl restart");
      }
      else
      {
        system("logger -t SnortUpdate 'No updates found.'");
        print "No updates found.\n";
      }
}

sub writeFile
{
  open my $fh2, '>', "/var/tmp/ETVersion.txt"; #open file for writing
  print $fh2 "$currentWebETVersion"; #actually write to file
  close $fh2; #close file
}

sub runUpdate
{
  my @df = `/bin/df /var`; #runs system command to get HD size and free disk space
  foreach my $line (@df) #multiple lines are returned, need to loop through them
  {
        my $errormessage = '';
        next if $line =~ m/^Filesystem/; #skips lines that have the word "Filesystem", meaning it's a header line
        my $return;

        if ($line =~ m/dev/) #only cares about lines that have the word 'dev' in them
        {
              my @temp = split(/\s+/,$line); #split the line at the spaces
              if ($temp[3]<300000) #Third value is free space, need 300MB
              {
                  $errormessage = "Not enough disk space, less then 300MB is available";
                  system("logger -t SnortUpdate 'Error encountered while update database: $errormessage'");
                  return 2;
              }
              else
              {
                  my @lns=split('\n',$url); #splitting at a new line and setting the URL to a variable
                  foreach my $l (@lns) #if more than 1 then we just loop
                  {
                      chomp $l;
                      print "Update found!\n";
                      print "Downloading... $l \n";
                      sleep(1);
                      system("logger -t SnortUpdate 'Download start for: $l'");
                      system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $l");
                      sleep(3);
                      $return = `cat /var/tmp/log 2>/dev/null`;

                      if ($return =~ "ERROR")
                      {
                          $errormessage = $return;
                          system("logger -t SnortUpdate 'Error prevented the download: $errormessage'");
                          print $errormessage;
                          return 2;
                      }
                      else
                      {
                          system("logger -t SnortUpdate 'Processing rules downloaded...'");
                          system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >/var/tmp/log 2>&1 &");
                          sleep(2);
                          system("logger -t SnortUpdate 'Update Successfull for $l'");
                          print "Update Successfull for $l\n";
                      }
                  }
              }
          }
      }
      return 1;
}

sub verifySnortIsRunning
{
    system("logger -t SnortUpdate 'Verifying Snort is running...'");

    if (($Snort_Orange == 1 && ! -e "/var/run/snort_orange0.pid") |
    ($Snort_BLUE == 1 && ! -e "/var/run/snort_blue0.pid") |
    ($Snort_GREEN == 1 && ! -e "/var/run/snort_green0.pid") |
    ($Snort_Active == 1 && (! -e "/var/run/snort_red0.pid" && ! -e "/var/run/snort_ppp0.pid")))
    { #if any of the services are enabled and are not started, go ahead and start them 'cause peeps be creepin'
        system("/usr/local/bin/snortctrl restart"); #start command... it knows what to do
        system("logger -t SnortUpdate 'Not all services running, starting now...'");
        print "Not all services running, starting now...\n";
    }
}

Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Snort Rules Update

Post by Edwin » April 26th, 2018, 9:09 pm

Hi,
Thanks for your work!

The new script gives me:

Code: Select all

[root@ipfire snort]# ./update.sh
Use of uninitialized value $vnumer in substitution (s///) at /var/ipfire/snort/snortupdate.pl line 140.
Use of uninitialized value $vnumer in numeric gt (>) at /var/ipfire/snort/snortupdate.pl line 141.
No updates found.
Did I do something wrong?
Image
Image

gitarman94
Posts: 6
Joined: March 17th, 2018, 1:37 pm
Location: US

Re: Snort Rules Update

Post by gitarman94 » April 26th, 2018, 10:30 pm

No, they’re just warnings, as we have all warnings tured on. You’ll note where it says no updates found.

Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Snort Rules Update

Post by Edwin » April 27th, 2018, 7:09 am

Okay, thanks.
And yes, a pakfire package would be great!
Image
Image

dnl
Posts: 313
Joined: June 28th, 2013, 11:03 am

Re: Snort Rules Update

Post by dnl » May 9th, 2018, 9:46 am

Great work gitarman94!!
I like how it can be run regularly, with low impact, and will actually start Snort if it's stopped.

Have you had a chance to address the issues which H&M mentioned?
I read this thread and quickly scanning the comments in your latest script, but I'm not sure if they have been addressed.


For reference:
H&M wrote:
April 13th, 2018, 11:57 am
Great Job!

One minor feature to be added: log in /var/log/messages if no updates are found - currently the perl script only print it on screen.

I saw above Michael's reason for not including an automated update job for the snort rules: lack of preserving user configuration (what rules gets activated in snort.conf).
To make thing worse, the ids.cgi has a bug: it does not put all downloaded rules files in snort.conf (user must manually add the missing ones)
See https://bugzilla.ipfire.org/show_bug.cgi?id=11263

If somebody can fix above 2 items then I don't see any reason why the automated update job should not be included as standard feature.

Again, great job!

Thank you,
H&M
Image

gitarman94
Posts: 6
Joined: March 17th, 2018, 1:37 pm
Location: US

Re: Snort Rules Update

Post by gitarman94 » May 9th, 2018, 10:21 am

Addressing the first paragraph, yes. It prints to both locations now. I haven’t had time to address the second issue with the snort rules, that one is a little bit more complicated and it’s something I’ll have to address when I get more time. Judging by the comments someone else may already be looking into it. I’ll see what they come up with as they are probably far further along in development, and I’ve got now way to PM on this site to be able to collaborate.

TimF
Posts: 29
Joined: June 10th, 2017, 7:27 pm

Re: Snort Rules Update

Post by TimF » June 9th, 2018, 7:01 pm

I've now got my script to update the rules while preserving the current list of enabled and disabled rules. It's not quite ready to share yet - I want to do a little more testing. I also need to work out how to share it, since there's too much code to put in a box on this forum.

I'm currently expecting that it'll be available for other people to test in a couple of weeks.

dnl
Posts: 313
Joined: June 28th, 2013, 11:03 am

Re: Snort Rules Update

Post by dnl » September 11th, 2018, 9:56 am

Since the update to IPFire Core Update 123 I've been getting SSL related errors:

Code: Select all

# perl -w /var/ipfire/snort/snortupdate.pl
Unrecognized LWP::UserAgent options: ssl_opts at /var/ipfire/snort/snortupdate.pl line 112
Use of uninitialized value $vnumer in substitution (s///) at /var/ipfire/snort/snortupdate.pl line 141.
Use of uninitialized value $vnumer in numeric gt (>) at /var/ipfire/snort/snortupdate.pl line 142.
Unrecognized LWP::UserAgent options: ssl_opts at /var/ipfire/snort/snortupdate.pl line 112
Unrecognized LWP::UserAgent options: ssl_opts at /var/ipfire/snort/snortupdate.pl line 112
No updates found.
Could this be related to the snort update changes Michael mentioned in the release post
It says:
"Downloads of rulesets properly validate any TLS certificates"

I gather that the error is related to the LWP::UserAgent version being too old in a perl-www module?
Image

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 9 guests