Snort ルールファイルの自動更新

ルールファイルの自動更新

・Perl モジュールインストール

PulledPork の動作には、Archive::Tar, Crypt::SSLeay, libwww-perl が必要

    [root]# cpan Archive::Tar Crypt::SSLeay Bundle::LWP
・PulledPork インストール

https://github.com/shirkdog/pulledpork/releases から取得

    [root]# tar xvfz pulledpork-0.7.3.tar.gz
    [root]# mv -v pulledpork-0.7.3 /usr/local/pulledpork 
    [root]# chown -R snort:snort /usr/local/pulledpork/
    [root]# chmod 755 /usr/local/pulledpork/pulledpork.pl
・PulledPork 設定
    [root]# vim /usr/local/pulledpork/etc/pulledpork.conf

    rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>

    その他の rule_url 行は全てコメントアウト
    # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
    # rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
    # rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>

    rule_path=/etc/snort/rules/snort.rules

    # local_rules=/etc/snort/rules/local.rules

    sid_changelog=/var/log/snort/sid_changes.log

    sid_msg=/etc/snort/etc/sid-msg.map

    snort_path=/usr/local/bin/snort

    config_path=/etc/snort/etc/snort.conf

    # sostub_path=/etc/snort/so_rules/so_rules.rules

    distro=RHEL-7-4

    # black_list=/etc/snort/rules/iplists/default.blacklist

    # IPRVersion=/etc/snort/rules/iplists

    # snort_control=/usr/local/bin/snort_control

    pid_path=/var/log/snort/snort_eth0.pid

    snort_version=2.9.13.0

    version=0.7.3
・snort.conf 変更
    include $RULE_PATH/xxx.rules, include $PREPROC_RULE_PATH/xxx.rules,
   include $SO_RULE_PATH/xxx.rules の行を削除

    [root]# cp -v /etc/snort/etc/snort.conf /etc/snort/etc/snort.conf.bak

    [root]# sed -i '/^include $RULE_PATH/d' /etc/snort/etc/snort.conf
    [root]# sed -i '/^include $PREPROC_RULE_PATH/d' /etc/snort/etc/snort.conf
    [root]# sed -i '/^include $SO_RULE_PATH/d' /etc/snort/etc/snort.conf

    [root]# vim /etc/snort/etc/snort.conf

      blacklist の行をコメントアウト

      # blacklist $BLACK_LIST_PATH/blacklist.rules

      snort.rules のみ include(全てのルールが snort.rules にまとめられる)

      include $RULE_PATH/snort.rules

    全てのルールファイルを削除

    [root]# rm -vf /etc/snort/rules/*
    [root]# rm -vf /etc/snort/so_rules/*
    [root]# rm -vf /etc/snort/preproc_rules/*

    /etc/snort/rules/snort.rules ファイルを作成

    [root]# touch /etc/snort/rules/snort.rules
    [root]# chown -R snort:snort /etc/snort/
    [root]# chmod 600 /etc/snort/rules/snort.rules
    
    snort 再起動

    [root]# systemctl restart snortd
・PulledPork 実行
    [root]# /usr/local/pulledpork/pulledpork.pl -c /usr/local/pulledpork/etc/pulledpork.conf

    ※ 15分以上経過しないと再実行できない
・PulledPork 定期実行
    [root]# crontab -e

    3 0 * * * /usr/local/pulledpork/pulledpork.pl -c /usr/local/pulledpork/etc/pulledpork.conf