snort ルールセット自動更新

前回は自分でルールを書いていたが、既知の不正侵入や攻撃を検知するためのルールがまとまったもの(ルールセット)がsnort.orgから配布されている。ルールセットは大きく分けて2つある。

  • Sourcefire VRT Certified Rules
    SroucefireのVulnerability Research Team(VRT)がメンテナンスをしているオフィシャルなルールセット。
    頻繁に更新が行われている。
    • Subscriber Release
      最新のルールセット(有償)
    • Registered User Release
      「Subscriber Release」より30日遅れのルールセット。snort.orgに登録すればダウンロードできる。
  • Community Rules
    オープンソースコミュニティが作成したルールセットで、VRTが動作確認を行っている。

pulledporkを使うとルールセットのダウンロード、展開、指定のディレクトリに配置を自動でやってくれる。今回は「Sourcefire VRT Certified Rules」の「Registered User Release」を使用する。

RPM作成

OpenSUSE用のSRPMを見付けたのでダウンロードしてSPECファイルを参考にした。rpm作成に使用したSPECファイルはGistに置いた。

$ rpmbuild -ba rpmbuild/SPECS/pulledpork.spec

pulledpork

% diff -u pulledpork.conf.org pulledpork.conf
--- pulledpork.conf.org	2014-05-06 20:09:14.774046736 +0900
+++ pulledpork.conf	2014-05-06 23:26:04.791047913 +0900
@@ -16,14 +16,15 @@
 # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
 # note that the url, rule file, and oinkcode itself are separated by a pipe |
 # i.e. url|tarball|123456789, 
-rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
+#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
+rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|123456789
 # NEW Community ruleset:
-rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
+#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
 # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
 # This format MUST be followed to let pulledpork know that this is a blacklist
-rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
+#rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
 # URL for rule documentation! (slow to process)
-rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
+#rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
 #rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
 # THE FOLLOWING URL is for etpro downloads, note the tarball name change!
 # and the et oinkcode requirement!
@@ -69,14 +70,14 @@
 # rules? (this value has changed as of 0.4.0, previously we copied 
 # all of the rules, now we are creating a single large rules file
 # but still keeping a separate file for your so_rules!
-rule_path=/usr/local/etc/snort/rules/snort.rules
+rule_path=/etc/snort/rules/snort.rules
 
 # What path you want the .rules files to be written to, this is UNIQUE
 # from the rule_path and cannot be used in conjunction, this is to be used with the
 # -k runtime flag, this can be set at runtime using the -K flag or specified
 # here.  If specified here, the -k option must also be passed at runtime, however
 # specifying -K <path> at runtime forces the -k option to also be set
-# out_path=/usr/local/etc/snort/rules/
+out_path=/etc/snort/rules/
 
 # If you are running any rules in your local.rules file, we need to
 # know about them to properly build a sid-msg.map that will contain your
@@ -84,10 +85,10 @@
 # files that are local to your system here by adding a comma and more paths...
 # remember that the FULL path must be specified for EACH value.
 # local_rules=/path/to/these.rules,/path/to/those.rules
-local_rules=/usr/local/etc/snort/rules/local.rules
+local_rules=/etc/snort/rules/local.rules
 
 # Where should I put the sid-msg.map file?
-sid_msg=/usr/local/etc/snort/sid-msg.map
+sid_msg=/etc/snort/sid-msg.map
 
 # New for by2 and more advanced msg mapping.  Valid options are 1 or 2
 # specify version 2 if you are running barnyard2.2+.  Otherwise use 1
@@ -110,11 +111,11 @@
 sorule_path=/usr/local/lib/snort_dynamicrules/
 
 # Path to the snort binary, we need this to generate the stub files
-snort_path=/usr/local/bin/snort
+snort_path=/usr/sbin/snort
 
 # We need to know where your snort.conf file lives so that we can
 # generate the stub files
-config_path=/usr/local/etc/snort/snort.conf
+config_path=/etc/snort/snort.conf
 
 ##### Deprecated - The stubs are now  categorically written to the  single rule file!
 # sostub_path=/usr/local/etc/snort/rules/so_rules.rules
@@ -128,7 +129,7 @@
 # FreeBSD-7-3, FreeBSD-8-1
 # OpenBSD-4-8
 # Slackware-13-1
-distro=FreeBSD-8.1
+distro=RHEL-6-0
 
 #######  This next section is optional, but probably pretty useful to you.
 #######  Please read thoroughly!
% pulledpork -c /etc/pulledpork/pulledpork.conf

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2961.tar.gz....
        No Match
        Done
Rules tarball download of snortrules-snapshot-2961.tar.gz....
        They Match
        Done!
Prepping rules from snortrules-snapshot-2961.tar.gz for work....
        Done!
Reading rules...
Setting Flowbit State....
        Enabled 35 flowbits
        Done
Writing /etc/snort/rules/snort.rules....
        Done
Generating sid-msg.map....
        Done
Writing v1 /etc/snort/sid-msg.map....
        Done
Writing /var/log/sid_changes.log....
        Done
Rule Stats...
        New:-------21332
        Deleted:---0
        Enabled Rules:----5240
        Dropped Rules:----0
        Disabled Rules:---16091
        Total Rules:------21331
No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!