Working with Snort Rules

Automatically Updating Snort Rules

There are multiple tools available to update Snort signatures. When using any of these tools you must be careful because you may accidentally modify or delete your customized rules. I shall discuss two methods of updating the rules.

The Simple Method

This method consists of a simple shell script. It requires that you have wget program installed on your system. The wget program is used to retrieve any file using the HTTP protocol. In essence, it is just like a web browser, but it retrieves one file from a command line argument.

Let us explore how this script works. The following lines simply set some variables.

The following three lines are used to go to / tmp directory, remove any existing directory / tmp / rules and download the snortrules.tar.gz file from the URI specified by the $ RULESURI variable.

After downloading, you extract the rules file from snortrules.tar.gz file and then delete it using the following two lines. The files extracted are placed in / tmp / rules directory.

The following line makes a backup copy of existing rules files, just in case you need the old copy later on.

The last line in the script moves new rules from / tmp / rules directory to the actual rules directory / etc / sport where Snort can read them.

Make sure to restart Snort after running this script. If you have a start script like the one described in Chapter 2, you can add a line at the end of the shell script to restart Snort.

You may also restart Snort using the command line.

The Sophisticated and Complex Method

This section provides information about the use of Oinkmaster found of at Oinkmaster is a Tool to Update Snort rule files It is written in Perl, so YOu Must have Perl installed on your Snort machine to make this tool work. It can be configured to download new rule files from the Internet, find out what rules need to be updated and then updates them. If you have modified some standard rules according to your own requirements, you can configure Oinkmaster not to update these customized rules. At the time of writing this book, version 0.6 of this tool is available. By now updated versions may be available. Oinkmaster is a Perl script and uses a configuration file to update the rules.

It is recommended that you use a temporary directory the first time you use this Perl script. I have used / tmp / rulesdirectory. When you use the following command, it will download all rules, untar them and save all files in / tmp / rules directory.

The tool gives you a detailed report of actions taken during the update process. You can test this by deleting and modifying some rules and running the tool again. The following is a partial output seen when Oinkmaster adds and updates some rules.

The script uses a configuration file where many options can be configured. Specifically, you can configure the following in the configuration file oinkmaster.conf:

  • URL of the location from where it downloads the Snort the rules. By default this the URL is or This IS configured the using to the URL keyword in the configuration file.
  • Files to be updated. By default files ending with. Rules, Config, Conf, Txt and. The map is updated and all other files are ignored. This is done using the update_files keyword.
  • Files to be skipped when updating rules. This is done using the skip file keyword. You can use as many skip files lines as you like. This option is useful when you have customized rules in some files. When you skip these files, your customized rules will not be overwritten during the update process.
  • You can disable certain rules permanently using the disabled keyword in the configuration file. The tool will not update these rules during the update.

Please use the README and INSTALL files that come with the tool. You can use this tool from a cron script to periodically update your rule set.