Oinkmasterでルールセットの更新を自動化しよう


新しい攻撃が発見されるたびにルールセットを更新するのは、大変手間のかかる作業です。oinkmaster を使うことで、ルールセットの更新を自動化することができます。

The Oinkmaster Snort rules updaterからOinkmasterを取得する。
2003/12/01現在 oinkmaster-0.9.tar.gz が最新。
$ tar xvzf oinkmaster-0.8.tar.gz
$ cd oinkmaster-0.8
$ su
# mkdir /usr/local/oinkmaster
# cp oinkmaster.pl oinkmaster.conf /usr/local/oinkmaster
すでに使用しているルールファイルのバックアップ用ディレクトリを作成しておく。
# mkdir /usr/local/snort/backup
# chown -R snort.snort /usr/local/snort/backup
# chmod 770 /usr/local/snort/backup
次に、oinkmaster ユーザを作成し、snort グループに属するようにする。パーミッションも設定しなおしておく。
# su -
# useradd -g snort -d /usr/local/oinkmaster oinkmaster
# chown -R oinkmaster.snort /usr/local/oinkmaster
# chmod -R 770 /usr/local/snort
次に、oinkmaster のテストを行う。
oinkmaster.pl は、-C で conf ファイルの場所を指定する。
# mkdir /tmp/snort
# chown -R snort.snort /tmp/snort
# chmod 770 /tmp/snort
# cd /usr/local/oinkmaster
# su oinkmaster
$ ./oinkmaster.pl -o /tmp/snort -C /usr/local/oinkmaster/oinkmaster.conf
Downloading rules archive from http://www.snort.org/dl/rules/snortrules-stable.tar.gz...
13:04:57 URL:http://www.snort.org/dl/rules/snortrules-stable.tar.gz [112609/112609]
 -> "/tmp/oinkmaster.5429/snortrules.tar.gz" [1]
Archive successfully downloaded, unpacking... done.
Disabling rules... 5 out of 2039 rules disabled.
Setting up rules structures... done.
Comparing new files to the old ones... done.

[***] Results from Oinkmaster started Fri Oct 31 13:04:59 2003 [***]

[*] Rules modifications: [*]
    None.

[*] Non-rule line modifications: [*]
    None.

[+] Added files (consider updating your snort.conf to include them): [+]

    -> attack-responses.rules
    -> backdoor.rules
    -> bad-traffic.rules
    -> chat.rules
    -> classification.config
    -> ddos.rules
    -> deleted.rules
    -> dns.rules
    -> dos.rules
    -> experimental.rules
    -> exploit.rules
    -> finger.rules
    -> ftp.rules
    -> gen-msg.map
    -> icmp-info.rules
    -> icmp.rules
    -> imap.rules
    -> info.rules
    -> misc.rules
    -> multimedia.rules
    -> mysql.rules
    -> netbios.rules
    -> nntp.rules
    -> oracle.rules
    -> other-ids.rules
    -> p2p.rules
    -> policy.rules
    -> pop2.rules
    -> pop3.rules
    -> porn.rules
    -> reference.config
    -> rpc.rules
    -> rservices.rules
    -> scan.rules
    -> shellcode.rules
    -> sid-msg.map
    -> smtp.rules
    -> snmp.rules
    -> sql.rules
    -> telnet.rules
    -> tftp.rules
    -> virus.rules
    -> web-attacks.rules
    -> web-cgi.rules
    -> web-client.rules
    -> web-coldfusion.rules
    -> web-frontpage.rules
    -> web-iis.rules
    -> web-misc.rules
    -> web-php.rules
    -> x11.rules

$ cd /tmp/snort
$ ls
attack-responses.rules  info.rules        shellcode.rules
backdoor.rules          misc.rules        sid-msg.map
bad-traffic.rules       multimedia.rules  smtp.rules
chat.rules              mysql.rules       snmp.rules
classification.config   netbios.rules     sql.rules
ddos.rules              nntp.rules        telnet.rules
deleted.rules           oracle.rules      tftp.rules
dns.rules               other-ids.rules   virus.rules
dos.rules               p2p.rules         web-attacks.rules
experimental.rules      policy.rules      web-cgi.rules
exploit.rules           pop2.rules        web-client.rules
finger.rules            pop3.rules        web-coldfusion.rules
ftp.rules               porn.rules        web-frontpage.rules
gen-msg.map             reference.config  web-iis.rules
icmp-info.rules         rpc.rules         web-misc.rules
icmp.rules              rservices.rules   web-php.rules
imap.rules              scan.rules        x11.rules
$ exit
テストの結果、問題無いようなら実際のルールセットを更新してみる。
-b オプションで作成しておいたバックアップ用ディレクトリにバックアップを作成できる。
# chown -R snort.snort /usr/local/snort
# chmod 770 /usr/local/snort
# cd /usr/local/oinkmaster
# su oinkmaster
$ ./oinkmaster.pl -o /usr/local/snort -b /usr/local/snort/backup -C /usr/local/oinkmaster/oinkmaster.conf

$ ls /usr/local/snort/backup
rules-backup-20031031-1308.tar.gz
アップデートの際にコメントにしておいたルールが戻ってしまうのを防ぐために、更新不要なルールのsidを、oinkmaster.confに記述しておこう。 
$ cat /usr/local/oinkmaster/oinkmaster.conf
# $Id: oinkmaster.conf,v 1.73 2003/09/02 19:40:29 andreaso Exp $ #


################################################
#    General options you may want to change    #
################################################

# URL to the rules archive to download (or copy).
# Must begin with http://, ftp:// or file:// and end with .tar.gz

# Use this one if you're running the latest release version of Snort
# (or following snort-STABLE):
url = http://www.snort.org/dl/rules/snortrules-stable.tar.gz

# Use this one *only* if you're following snort-CURRENT.
# This ruleset usually only works with recent develop versions of Snort!
# url = http://www.snort.org/dl/rules/snortrules-current.tar.gz

# Or if you prefer to download the rules archive from outside Oinkmaster,
# you can then point to the file on your local filesystem by using
# file://, for example:
# url = file:///tmp/snortrules.tar.gz


# The PATH to use during execution.
# 'tar' and 'gzip' must be found, and also 'wget' if fetching rules
# from a remote host (all with optional .exe suffix).
# Assume UNIX style by default:
path = /bin:/usr/bin:/usr/local/bin

# Example if running native Win32 or standalone Cygwin:
# path = c:\oinkmaster;c:\oinkmaster\bin

# Example if running standalone Cygwin and you prefer Cygwin style path:
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin


# Temporary directory to use. This directory must exist when starting
# (Oinkmaster will then create a temporary sub directory in here).
# Keep it as a #comment if you want to use the default.
# The default will be checked for in the environment variables TMP,
# TMPDIR or TEMPDIR, or otherwise "/tmp" if none of them was set.

# Example for UNIX:
# tmpdir = /home/oinkmaster/tmp/

# Example if running native Win32 or Cygwin:
# tmpdir = c:\tmp

# Example if running Cygwin and you prefer Cygwin style path:
# tmpdir = /cygdrive/c/tmp


# The umask to use during execution if want it to be something else
# than the current value when starting Oinkmaster
# (keep it commented out to use the current value).
# For example:
# umask = 0027


# Files in the archive matching this regexp will be checked
# for changes, and then updated or added if needed.
# (You can then choose to skip individual files by specifying
# the "skipfile" keyword below".)
# Normally you shouldn't need to change this one.
# (But if you do, make sure it's still a valid regexp.)
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$


# If the number of rules files in the downloaded archive matching the
# 'update_files' regexp is below min_files, or if the total number
# of rules in it is below min_rules, the archive is regarded as
# broken and the update is aborted with an error message.
# Both are set to 1 by default (i.e. the archive is only regarded as
# broken if it's totally empty).
# min_files = 1
# min_rules = 1



#######################################################################
# Files to totally skip (i.e. never update them or check for changes) #
#                                                                     #
# Syntax: skipfile filename                                           #
# or:     skipfile filename1, filename2, filename3, ...               #
#######################################################################

# Ignore (skip) "local.rules" from the rules archive by default, since we might
# have put some local rules in our own "local.rules", and we don't want
# it to get overwritten by the empty one from the archive after each update.
skipfile local.rules

# Also skip snort.conf from the rules archive by default since we don't
# want to overwrite our own snort.conf if we have it in the same directory as
# the rules. (If you have your own ("real") snort.conf in another directory, it
# may be really nice to check for changes in this file though, especially since
# new variables are sometimes added!)
skipfile snort.conf

# The file deleted.rules contains rules that have been deleted from other files.
# There is usually no point in watching it, but it may sometimes contain useful
# comments about *why* certain rules are deleted.
# Remove the comment to skip this file.
# skipfile deleted.rules



##########################################################################
# SIDs to modify after each update (only for the skilled/stupid/brave).  #
# Don't use it unless you have to. There is nothing that stops you from  #
# modifying rules in such ways that they become invalid.                 #
# If you just want to disable SIDs, please skip this section and have a  #
# look at the "disablesid" keyword below.                                #
#                                                                        #
# You may specify several modifysid directives for the same SID, and     #
# you may also specify a list of SIDs on which the substitution should   #
# be applied. Note that #comments are NOT allowed on "modifysid" lines.  #
#                                                                        #
# Syntax: modifysid SID "replacethis" | "withthis"                       #
# or:                                                                    #
# Syntax: modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"     #
#                                                                        #
# The strings within the quotes will simply be passed to a               #
# s/replacethis/withthis/ statement in Perl, so they must be valid       #
# regular expressions.                                                   #
#                                                                        #
##########################################################################

# Example to enable a rule (in this case SID 1325) that is disabled by
# default, by simply replacing "#alert" with "alert".
# modifysid 1325 "#alert" | "alert"

# But since it's actually regexps, it's better to make sure we only replace
# the "#alert" if it's at the beginning of the line and also don't care about
# possible whitespaces.
# modifysid 1325 "^\s*#\s*alert" | "alert"

# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"

# Example to make SID 1378 a 'drop' rule (valid if you're running Snort_inline).
# modifysid 1378 "^\s*alert" | "drop"

# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET in SID 302.
# Remember that the strings are regular expressions, so you must
# escape special characters like $.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can also specify that a substitution should apply on several SIDs.
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can take advantage of the fact that it's regular expressions and
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
# statement to SID 1324.
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | "$1 replace:"\/foo\/sh";"



#############################################
# SIDs to comment out after each update     #
#                                           #
# Syntax:  disablesid SID                   #
# or:      disablesid SID1, SID2, SID3, ... #
#############################################

# You can specify one SID per line:
# disablesid 1
# disablesid 2
# disablesid 3

# And also as comma-separated lists:
# disablesid 4,5,6
更新不要なルールは disablesid にsidを記述する。1行1sidの書き方とカンマで区切って1行複数sidの書き方ができる。
更新したくないルールセットファイルは、skipfile に記述する。デフォルトでは local.rules,snort.conf(oinkmaster0.6では sid-msg.mapも) が記述されている。自分で作成したシグネーチャーは、local.rules に書くとよいだろう。

アップデートをせずに不要な sid をルールセットに反映させるには、-r オプションを使う。
$ cd ~
$ ./oinkmaster.pl -o /usr/local/snort -r



  1. Snort とは
  2. Snortでネットワークを監視する(2.0.0 with ACID & FLEXRESP)
  3. oinkmasterでルールセットの更新を自動化する
  4. Snort 情報源



Snortで不正アクセスを検知する
当サイト 人気ウイルス対策ソフト

ESET Smart Security

ウイルスバスター

ノートン・アンチウイルス

マカフィーウイルススキャン

NOD32

ウイルスセキュリティZERO
Copyright(c) 1999-2017 ITNAVI.com サイト運営者情報