This may seem simple to some people but to others it is not so easy. If you installed Snort yourself you will already know where the rules file is however, these days many Linux distros come with snort pre installed with mysql configured so there is nothing to do but start Snorts IDS.
Snort comes with a fairly robust rule set but if you only use the free rules you realize they are 7 days behind the paid for rules. In most situations this can be acceptable but for the security aware 7 days is a very long time.
One solution is to add the Emerging threats rulesets to your snort rules and set them up to work together. Emerging Threats rules are bleeding edge so keep that in mind in a high traffic production enviorment. The rules can be gotten here. Once you download them , untar the archive and copy the rules over to your snort rules folder.
- root@virus:~# wget http://www.emergingthreats.net/rules/emerging.rules.tar.gz
- --12:11:14-- http://www.emergingthreats.net/rules/emerging.rules.tar.gz
- => `emerging.rules.tar.gz'
- Resolving www.emergingthreats.net... 22.214.171.124
- Connecting to www.emergingthreats.net|126.96.36.199|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 1,016,492 (993K) [application/x-tar]
- 100%[===========================================================>] 1,016,492 391.58K/s
- 12:11:17 (390.50 KB/s) - `emerging.rules.tar.gz' saved [1016492/1016492]
- root@virus:~# tar xzvf emerging.rules.tar.gz
- root@virus:~# cp rules/*.rules /etc/snort/rules/
The next thing you need to do is add all the names of the rules to the relevant section of your snort.conf. An example of the proper format would be:
- include $RULE_PATH/exploit.rules
You will need to make a entry for each rule in order to use them all. Ok so now that we have that done there is one more little problem to over come. Depending on which Snort rules you are using there are a few ET rules which can conflict with them. There is no easy way to figure this out other than trial and error.
So heres what we do. If you are using some sort of init.d script for Snort stop it now.
Next, start Snort from the command line like this:
- snort -T -c /etc/snort/snort.conf (or whatever the path to your snort.conf may be)
If there are any conflicting rules snort will error out and die. Take note of the offending rule and go to your snort.conf and comment it out. Then re run the snort command and repeat the process until snort stops giving errors on rules. Generally in my experience there are about three or four which will not work. Once we have a successful test run we can restart our snort init.d script and put our IDS back into action.
In order to stay updated with Emerging threats we can use Oinkmaster. I am assuming you already use Oinkmaster to update your snort rules in a cron job of some sort. If you are not using Oinkmaster then I suggest you do so as soon as possible.
Open up your oinkmaster.conf file and find the line where it references the snort rules. It should look like this:
- url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here>/<filename>
And add a line under it that reads:
- url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
Now Oinkmaster will update the ET rules at the same time as the Snort rules.