Context Navigation

← Previous Changeset
Next Changeset →

Changeset 182

Timestamp:

03/20/05 14:22:07 (5 years ago)

Author:

mbr

Message:

- Updated to not attempt to download Snort rules from snort.org

because the rules are no longer available for automatic downloads

- Changed the install.pl script and the --update-rules mode for

fwsnort to download the latest signature set from
http://www.bleedingsnort.com/.
(Snort.org is now offering pay-service around their rule sets).

- Added signature test for the "flowbits" keyword.

Location:

fwsnort/trunk

Files:

: 5 modified

ChangeLog (modified) (3 diffs)
TODO (modified) (1 diff)
VERSION (modified) (1 diff)
fwsnort (modified) (6 diffs)
install.pl (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

fwsnort/trunk/ChangeLog

r181	r182
1		fwsnort-0.6.4 (12/18/2004);
	1	fwsnort-0.6.5 (03/20/2005):
	2	- Updated to not attempt to download Snort rules from snort.org
	3	because the rules are no longer available for automatic downloads
	4	- Changed the install.pl script and the --update-rules mode for
	5	fwsnort to download the latest signature set from
	6	http://www.bleedingsnort.com/.
	7	(Snort.org is now offering pay-service around their rule sets).
	8	- Added signature test for the "flowbits" keyword.
	9
	10	fwsnort-0.6.4 (12/18/2004):
2	11	- Updated to Snort-2.3 rules. FWSnort can convert a total of 1710
3	12	out of 2559 total Snort-2.3 rules.
…	…
8	17	- Added --replace-string patches.
9	18
10		fwsnort-0.6.3 (04/04/2004);
	19	fwsnort-0.6.3 (04/04/2004):
11	20	- Added ignore functionality for both IPs and networks
12	21	- Split --ipt-block into --ipt-drop and --ipt-reject to add DROP
…	…
15	24	file to be added.
16	25
17		fwsnort-0.6.2 (03/19/2004);
	26	fwsnort-0.6.2 (03/19/2004):
18	27	- Added --internal-net and --dmz-net options so that internal and
19	28	dmz networks can be manually specified without having to parse

fwsnort/trunk/TODO

r176	r182
1		- Port the string match extension to the 2.6 kernel.
	1	- Port the string match extension to the 2.6 kernel.
	2	- Have some level of (optional) integration with the --replace-string
	3	patches
	4	- Allow a list of SIDs to have a manually specified target (such as
	5	-j REJECT --reject-with tcp-reset). The list should come from the
	6	command line with a new option and/or be read from a file.

fwsnort/trunk/VERSION

r176	r182
1		0.6.4
	1	0.6.5

fwsnort/trunk/fwsnort

r179	r182
13	13	# Credits: (see the CREDITS file)
14	14	#
15		# Version: 0.6.4
	15	# Version: 0.6.5
16	16	#
17	17	# Copyright (C) 2003 Michael Rash (mbr@cipherdyne.org)
…	…
105	105	my $log_dir = '/var/log';
106	106
107		my $snort_website = 'www.snort.org';
108		my $~~download_rules_file = 'snortrules-snapshot-CURRENT.tar.gz~~';
	107	### Snort.org no longer allows auto downloads of signatures
	108	my $bleeding_snort_website = 'www.bleedingsnort.com';
109	109
110	110	### config file
…	…
119	119
120	120	### version number
121		my $version = '0.6.4';
	121	my $version = '0.6.5';
122	122
123	123	### supported variables in snort signatures
…	…
204	204	'distance' => '[\s;]distance:\s(\d+)\s;',
205	205	'within' => '[\s;]within:\s(\d+)\s;',
	206	'flowbits' => '[\s;]flowbits:\s\S+\s;',
206	207	# 'offset' => '[\s;]offset:\s\d+\s;',
207	208	# 'depth' => '[\s;]depth:\s\d+\s;',
…	…
1695	1696	### make sure we can actually reach snort.org.
1696	1697	print "[+] Downloading latest rules:\n",
1697		" http://$snort_website/dl/rules/$download_rules_file\n";
1698		if (&test_snort_website()) {
1699		chdir $fwsnort_dir or die "[*] Could not chdir $fwsnort_dir: $!";
1700		if (-e $download_rules_file) {
1701		unlink $download_rules_file or die "[*] Could not remove ",
1702		"$download_rules_file: $!";
1703		}
1704		system "$cmds{'wget'} http://$snort_website/dl/rules/" .
1705		"$download_rules_file";
1706		system "$cmds{'tar'} xvfz $download_rules_file";
1707		if (-d 'rules') {
1708		if (-d 'snort_rules') {
1709		rmtree 'snort_rules.orig' if -d 'snort_rules.orig';
1710		move 'snort_rules', 'snort_rules.orig';
1711		}
1712		move 'rules', 'snort_rules' or die "[*] Could not ",
1713		"move rules -> snort_rules: $!";
1714		} else {
1715		print "[-] $download_rules_file did not appear to ",
1716		"contain a\n \"rules\" directory. Defaulting to ",
1717		"existing snort-2.0 rules.\n";
1718		}
1719		} else {
1720		print "[-] Could not connect to $snort_website on tcp/80.\n",
1721		" Defaulting to existing snort-2.0 rules.\n";
1722		}
1723		print "[+] Moving rules files to $fwsnort_dir/snort_rules/\n",
1724		"[+] Finished.\n";
	1698	" http://$bleeding_snort_website/bleeding-all.rules\n";
	1699	chdir $rules_dir or die "[*] Could not chdir $rules_dir: $!";
	1700	if (-e 'bleeding-all.rules') {
	1701	move 'bleeding-all.rules', 'bleeding-all.rules.tmp'
	1702	or die "[*] Could not move bleeding-all.rules -> ",
	1703	"bleeding-all.rules.tmp";
	1704	}
	1705	system "$cmds{'wget'} http://$bleeding_snort_website/bleeding-all.rules";
	1706	if (-e 'bleeding-all.rules') { ### successful download
	1707	unlink 'bleeding-all.rules.tmp';
	1708	} else {
	1709	print "[-] Could not download bleeding-all.rules file.\n";
	1710	if (-e 'bleeding-all.rules.tmp') {
	1711	### move the original back
	1712	move 'bleeding-all.rules', 'bleeding-all.rules.tmp'
	1713	or die "[*] Could not move bleeding-all.rules -> ",
	1714	"bleeding-all.rules.tmp";
	1715	}
	1716	}
	1717	print "[+] Finished.\n";
1725	1718	exit 0;
1726		}
1727
1728		~~sub test_snort_website() {~~
1729		~~my $sock = new IO::Socket::INET(~~
1730		~~PeerAddr => $snort_website,~~
1731		~~PeerPort => 80,~~
1732		~~Proto => 'tcp',~~
1733		~~Timeout => 7~~
1734		);
1735		~~if (defined($sock)) {~~
1736		~~close $sock;~~
1737		~~return 1;~~
1738		}
1739		~~return 0;~~
1740	1719	}
1741	1720
…	…
1833	1812	--dmz-net <net/mask> - Manually specify a dmz network
1834	1813	(CIDR or standard notation).
1835		-u --update-rules - Download latest ~~snort rules from~~
1836		~~http://$~~snort_website/
	1814	-u --update-rules - Download latest Bleeding-Snort rules
	1815	from http://$bleeding_snort_website/
1837	1816	-t --type=<type> - Only process snort rules of type <type>
1838	1817	(e.g. "ddos" or "backdoor")

fwsnort/trunk/install.pl

r174	r182
41	41	my $rules_dir = "${fwsnort_dir}/snort_rules";
42	42
43		my $snort_website = 'www.snort.org';
44		my $~~download_rules_file = 'snortrules-snapshot-CURRENT.tar.gz~~';
	43	### Snort.org no longer allows auto downloads of signatures
	44	my $bleeding_snort_website = 'www.bleedingsnort.com';
45	45
46	46	### system binaries
…	…
133	133
134	134	my $local_rules_dir = 'snort_rules';
135		if (&query_get_latest_snort_rules()) {
136		### make sure we can actually reach snort.org.
137		if (&test_snort_website()) {
138		if (-e $download_rules_file) {
139		unlink $download_rules_file or die "[*] Could not remove ",
140		"$download_rules_file: $!";
141		}
142		system "$cmds{'wget'} http://$snort_website/dl/rules/" .
143		$download_rules_file;
144		if (-e $download_rules_file) {
145		system "$cmds{'tar'} xvfz $download_rules_file";
146		if (-d 'rules') {
147		rmtree 'downloaded_snort_rules'
148		if -d 'downloaded_snort_rules';
149		move 'rules', 'downloaded_snort_rules'
150		or die "[*] Could not move rules -> ",
151		"downloaded_snort_rules: $!";
152		$local_rules_dir = 'downloaded_snort_rules';
153		} else {
154		print "[-] $download_rules_file did not appear to ",
155		"contain a\n \"rules\" directory. Defaulting to ",
156		"existing snort-2.3 rules.\n";
157		}
158		} else {
159		print "[-] Could not download $download_rules_file\n",
160		" Defaulting to existing snort-2.3 rules.\n";
161		}
	135	if (&query_get_bleeding_snort()) {
	136	chdir $local_rules_dir or die "[*] Could not chdir $local_rules_dir";
	137	if (-e 'bleeding-all.rules') {
	138	move 'bleeding-all.rules', 'bleeding-all.rules.tmp'
	139	or die "[*] Could not move bleeding-all.rules -> ",
	140	"bleeding-all.rules.tmp";
	141	}
	142	system "$cmds{'wget'} http://$bleeding_snort_website/bleeding-all.rules";
	143	if (-e 'bleeding-all.rules') { ### successful download
	144	unlink 'bleeding-all.rules.tmp';
162	145	} else {
163		print "[-] Could not connect to $snort_website on tcp/80.\n",
164		" Defaulting to existing snort-2.3 rules.\n";
165		}
	146	print "[-] Could not download bleeding-all.rules file.\n";
	147	if (-e 'bleeding-all.rules.tmp') {
	148	### move the original back
	149	move 'bleeding-all.rules', 'bleeding-all.rules.tmp'
	150	or die "[*] Could not move bleeding-all.rules -> ",
	151	"bleeding-all.rules.tmp";
	152	}
	153	}
	154	chdir '..';
166	155	}
167	156
…	…
175	164	next unless $rfile =~ /\.rules$/;
176	165	print "[+] Installing $rfile\n";
177		copy "snort_rules/${rfile}", "${rules_dir}/${rfile}";
	166	copy "snort_rules/${rfile}", "${rules_dir}/${rfile}" or
	167	die "[*] Could not copy snort_rules/${rfile} ",
	168	"-> ${rules_dir}/${rfile}";
178	169	}
179	170
…	…
274	265	}
275	266
276		sub query_get_~~latest_snort_rules~~() {
	267	sub query_get_bleeding_snort() {
277	268	my $ans = '';
278		print "[+] Would you like to download the latest snort rules from \n",
279		" http://$snort_website/? If you not (or if you aren't connected\n",
280		" to the Net, then the installation will default to using \n",
281		" snort-2.3 signatures.\n";
	269	print "[+] Would you like to download the latest Snort rules from \n",
	270	" http://$bleeding_snort_website/?\n";
282	271	while ($ans ne 'y' && $ans ne 'n') {
283	272	print " ([y]/n)? ";
…	…
287	276	}
288	277	if ($ans eq 'y') {
289		~~return 1;~~
290		}
291		~~return 0;~~
292		}
293
294		~~sub test_snort_website() {~~
295		~~my $sock = new IO::Socket::INET(~~
296		~~PeerAddr => $snort_website,~~
297		~~PeerPort => 80,~~
298		~~Proto => 'tcp',~~
299		~~Timeout => 7~~
300		);
301		~~if (defined($sock)) {~~
302		~~close $sock;~~
303	278	return 1;
304	279	}