Chris Sanders

I recently found myself in a situation where I had a couple dozen Snort sensors deployed in a network with no commercial software for centralized management. Due to the decentralized nature of the sensor management, one of the bigger headaches was adding new custom rules to all of the sensors. New rules had to be added to each sensor manually into a custom rules file. These rules all existed in a single file, so I wrote a bash script that automates this process. Using this script an analyst only has to add the new rules to a single file and run the script to push it out to all of the other sensors. I thought I’d share that here for those that might get some use from it.

FAQ

What does the script do?

The script does a few simple tasks. It will perform the following actions for each IP in its sensor list:

• Create a backup of the existing custom rules file on the sensor.

• Replace the current rule file with the new rule file.

• Performs a ‘diff’ on the new rule file and the old rule file and places the results in a timestamped log file in /var/log/snortrules.

• Restarts snort on the sensor to ensure the new rules are applied.

What are the requirements for running the script?

In order to execute the script, the following conditions must be met:

• A custom rule file named the same as the custom rule file on the sensor must exist in the directory the script is executed from.

• You must have SSH/SCP connectivity to the servers.

• It is necessary to have permissions to perform the actions described above on the appropriate folders.

Additionally, it helps to have certificate based authentication setup for a service account that can handle actions performed by this script. Otherwise you will have to password authenticate to each sensor.

How do I add in the addresses for my sensors?

The first line of code in the script contains the list of sensor IP addresses. Replace the following with addresses for your sensors, delimited by spaces.

What other variables do I need to modify within the script to match my environment?

There are three main variables in addition to the sensor IP addresses. These are:

• rulepath – The path on the remove server where the custom rules file exists

• customrules – The name of the custom rules file

• user – The user name to use for authentication to the sensor

Can I make modifications to the script?

Absolutely. I’m not a programmer. I’m just a guy who saw a need and wrote something to address it quickly. That said, the script could probably be setup a lot better and do a lot of cool neat things (like error checking). If you find some value you in the script and want to make some modifications or additions to it then by all means do so, I just ask that you reciprocate those changes back to me so everyone can benefit.

With all that out of the way, you can download the script here.

I’ve been using Snort has a host-based IDS on my laptop for quite a while now and rather than expanding my attack surface by installing a database server for logging, I am simply logging to the standard flat file format. In this format all snort alerts are logged to an alert.ids file in the C:/Snort/log directory. In previous instances I’ve just reviewed this log frequently but I’ve had the desire for quite some time to have something a bit more realtime. I’m not sure if I’ve found the best solution, but I’m currently using RainMeter to display the most recent Snort alerts on my desktop.


I did run into one problem which had a solution I think others might be interested in. Snort logs the newest alerts it recieves at the bottong of the alert.ids file, which makes gathering the most recent alerts via perl regular expressions a bit of a complicated task. I brought this problem to my analysis team at EWA and Jason Smith, who has just started learning Perl,  developed a script that alleviates this problem. The script takes the last alert in the alert.ids file and places it at the top of a new “parsed” file. The second to last alert in the alert.ids file is then placed as the second alert in the parsed file, and so on and so forth. Also, as a bit of expanded functionality the script only grabs the first four lines of every alert which gives the alert name, classification, priority, and basic packet information. This makes for a more condensed and concise output.


You can download the script here: snort_parser.zip


As for implementation, I have setup a scheduled task that runs the script every 5 minutes so that the RainMeter on my desktop is updated very frequently. One small issue I noticed was that when this task ran it would pop up a command prompt window momentarily which was quite annoying. In order to combat this I created a VBS script that runs the perl script in the background. Rather than running the perl script, the scheduled task runs the VBS script which calls the perl script as an argument so that the process is invisible to me.


You can download the VBS script here: silent_launcher.vbs


Feel free to download, use, and distribute these files as you see fit.