Exploring the latest version of Snort

Typical Preprocessors

I've found that the following preprocessors are often specified in snort.conf to make sure all traffic types are used on a network. To enable these preprocessors, uncomment them within the snort.conf file:

preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

These preprocessors make it possible for Snort and DAQ to modify packets as necessary in order to drop suspicious TCP traffic.

Using PulledPork to Update Rulesets

As you might suspect, Snort is only as good as its preprocessors and rules. As you might further expect, managing all of the new rules can be quite a challenge, especially because new forms of attacks are being dreamed up constantly. How do are you supposed to manage all of these rules?

The best way to manage rules (called "rulesets" by the official documentation) is by using the PulledPork application. Once called Baconator, PulledPork is capable of grabbing – or pulling – the latest rules from the Snort website. For those of you who have been using Oinkmaster for years, using PulledPork may require a bit of adjustment, but the simplified rule management is worth changing your ways.

See the box titled "Updates and PulledPork" for more on managing Snort rulesets.

Updates and PulledPork

PulledPork, once called Baconator, is the best way to manage Snort rulesets. For those of you who have been using Oinkmaster for years, PulledPork may require a bit of adjustment.

First, download PulledPork at one of the many repositories, including Google:

$ wget http://pulledpork.googlecode.com/svn/trunk/ pulledpork.pl

Then, make sure that pulledpork.pl has at least 755 permissions:

/usr/local/bin$ sudo chmod 755 pulledpork.pl

To get PulledPork going, edit the /etc/pulledpork/pulledpork.conf file to include the relevant entries. For example, if you want to always have "emerging threat" rules constantly updated on your Snort system, enter the following:

rule_url=https://www.snort.org/reg-rules/|\
  snortrules-snapshot.tar.gz|<oinkcode>#
rule_url=https://rules.emergingthreats.net/|\
  etpro.rules.tar.gz

If you are a subscriber, enter the following line at the end of the rule:

<et oinkcode>

Then, make sure cron is configured to run the PulledPork Perl script:

0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf \
  -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules

You are now using PulledPork to include the most current updates.

More than Prettying Up the Pig?

Snort will always be something you can install on your Linux system independently of any Cisco hardware. Still, you know that Cisco is going to create a tight, compelling integration of Snort into all Cisco hardware.

Also, you're going to see more rules and plugins specific to NetFlow, Cisco's standard for traffic monitoring. That's a bit worrisome in a sense. For now, however, I am intrigued by Cisco's interest in enhancing the ability for network security professionals to analyze data.

When it comes to intrusion detection, the most significant focus areas are: prevention, detection, collection, and mitigation. Snort has shown over the past 15 years an unparalleled ability to gather and even detect a great many anomalies, yet it has not been strong in analysis. This latest version of Snort has taken a major step in this direction,

It's exciting to see the changes, including the new DAQ and Snort's improved IPS ability. Although it is possible to run Snort in pretty much the same way you always have, the new functionality promises to make Snort ready for a more analytical future.

I'm especially interested in Snort's improved ability to filter TCP-based traffic, including email traffic.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Snort Helpers

    Snort is the de facto standard for open source network intrusion detection. The developer community has kept a fairly low profile for a couple of years, but extensions like Snorby, OpenFPC, and Pulled Pork have given the old hog a new lease on life.

  • Snort

    Search out hidden attacks with the Snort intrusion detection system.

  • Intrusion Detection

    The Prelude security information management system receives both host- and network-based IDS messages and displays them in an easy web interface. We show you how to set it up.

  • Suricata

    Snort isn't the only free intrusion detection tool in the barnyard. We'll show you a powerful and promising alternative known as Suricata.

  • Security Visualization Tools

    Spot intruders with these easy security visualization tools.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News