120

Chapter 3     Working with Snort Rules

You must be careful when choosing this order because just one badly written pass

rule may allow many alert packets to pass through without being checked. If you really

know what you are doing, you can use the  o command line switch to disable the

default order and enable the new order of applying rules. You can also use  config

order  in the configuration file for this purpose. Again, this is dangerous and you have

been warned twice now! If you are sure of what you are doing, add this line in the

snort.conf file:

config order

If you define your own rule types, they are checked last in the sequence. For exam 

ple, if you have defined a rule type snmp_alerts, the order of rule application will be:

Alert  > Pass  > Log  >snmp_alerts

3.9 Automatically Updating Snort Rules

There are multiple tools available to update Snort signatures. When using any of these

tools you must be careful because you may accidentally modify or delete your custom 

ized rules. I shall discuss two methods of updating rules.

3.9.1

The Simple Method

This method consists of a simple shell script. It requires that you have wget pro 

gram installed on your system. The wget program is used to retrieve any file using

HTTP protocol. In essence, it is just like a web browser, but it retrieves one file from a

command line argument.

#!/bin/sh

# Place of storing your Snort rules. Change these variables

# according to your installation.

RULESDIR=/etc/snort

RULESDIRBAK=/etc/snort/bak

# Path to wget program. Modify for your system if needed.

WGETPATH=/usr/bin

# URI for Snort rules

RULESURI=http://www.snort.org/downloads/snortrules.tar.gz

# Get and untar rules.

cd /tmp

rm  rf rules

$WGETPATH/wget $RULESURI