Exploring the latest version of Snort
Typical Preprocessors
I've found that the following preprocessors are often specified in snort.conf
to make sure all traffic types are used on a network. To enable these preprocessors, uncomment them within the snort.conf
file:
preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6
These preprocessors make it possible for Snort and DAQ to modify packets as necessary in order to drop suspicious TCP traffic.
Using PulledPork to Update Rulesets
As you might suspect, Snort is only as good as its preprocessors and rules. As you might further expect, managing all of the new rules can be quite a challenge, especially because new forms of attacks are being dreamed up constantly. How do are you supposed to manage all of these rules?
The best way to manage rules (called "rulesets" by the official documentation) is by using the PulledPork application. Once called Baconator, PulledPork is capable of grabbing – or pulling – the latest rules from the Snort website. For those of you who have been using Oinkmaster for years, using PulledPork may require a bit of adjustment, but the simplified rule management is worth changing your ways.
See the box titled "Updates and PulledPork" for more on managing Snort rulesets.
Updates and PulledPork
PulledPork, once called Baconator, is the best way to manage Snort rulesets. For those of you who have been using Oinkmaster for years, PulledPork may require a bit of adjustment.
First, download PulledPork at one of the many repositories, including Google:
$ wget http://pulledpork.googlecode.com/svn/trunk/ pulledpork.pl
Then, make sure that pulledpork.pl
has at least 755 permissions:
/usr/local/bin$ sudo chmod 755 pulledpork.pl
To get PulledPork going, edit the /etc/pulledpork/pulledpork.conf
file to include the relevant entries. For example, if you want to always have "emerging threat" rules constantly updated on your Snort system, enter the following:
rule_url=https://www.snort.org/reg-rules/|\ snortrules-snapshot.tar.gz|<oinkcode>#
rule_url=https://rules.emergingthreats.net/|\ etpro.rules.tar.gz
If you are a subscriber, enter the following line at the end of the rule:
<et oinkcode>
Then, make sure cron is configured to run the PulledPork Perl script:
0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf \ -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules
You are now using PulledPork to include the most current updates.
More than Prettying Up the Pig?
Snort will always be something you can install on your Linux system independently of any Cisco hardware. Still, you know that Cisco is going to create a tight, compelling integration of Snort into all Cisco hardware.
Also, you're going to see more rules and plugins specific to NetFlow, Cisco's standard for traffic monitoring. That's a bit worrisome in a sense. For now, however, I am intrigued by Cisco's interest in enhancing the ability for network security professionals to analyze data.
When it comes to intrusion detection, the most significant focus areas are: prevention, detection, collection, and mitigation. Snort has shown over the past 15 years an unparalleled ability to gather and even detect a great many anomalies, yet it has not been strong in analysis. This latest version of Snort has taken a major step in this direction,
It's exciting to see the changes, including the new DAQ and Snort's improved IPS ability. Although it is possible to run Snort in pretty much the same way you always have, the new functionality promises to make Snort ready for a more analytical future.
I'm especially interested in Snort's improved ability to filter TCP-based traffic, including email traffic.
Infos
- Snort: https://www.snort.org/
- Snort Downloads: https://www.snort.org/downloads
- Libnet at Sourceforge: http://libdnet.sourceforge.net
- Rudix: https://code.google.com/p/rudix/downloads/detail?name=libdnet-1.12-0.pkg&can=2&q=
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)