لطفا منتظر باشید ...
Recipe 9.26 Upgrading and Tuning Snort's Ruleset
9.26.1 Problem
You want Snort to use the latest
intrusion signatures.
9.26.2 Solution
Download the latest rules from http://www.snort.org and install them in
/usr/local/share to be consistent with our other
Snort recipes:
# tar xvpzf snortrules-stable.tar.gz -C /usr/local/share
To test configuration changes, or to verify the correct usage of
command-line options:
# snort -T ...
To omit the verbose initialization and summary messages:
# snort -q ...
9.26.3 Discussion
The field of NIDS is an area of active research, and
Snort is undergoing rapid development. Furthermore, the arms race
between attackers and defenders of systems continues to escalate. You
should upgrade your Snort installation frequently to cope with the
latest threats.If you have locally modified your rules, then before upgrading them,
preserve your changes and merge them into the new versions. If you
confine your site-specific additions to the file
local.rules , merging will be a lot easier.Although the snort.conf file can be used without
modification, it is worthwhile to edit the file to customize
Snort's operation for your site. Comments in the
file provide a guided tour of Snort's features, and
can be used as a step-by-step configuration guide, along with the
Snort User's Manual .The most important parameters are the network variables at the
beginning of the configuration file. These define the boundaries of
your networks, and the usage patterns within those networks. For
quick testing, you can override variables on the command line with
the -S option, e.g.:
# snort -S HOME_NET=10.22.33.0/24 ...
Depending on your interests and needs, you may also wish to enable or
tune some of the Snort preprocessors that are designed to
respond to various threats. IP defragmentation and TCP stream
reassembly are enabled by default, to detect
denial of service attacks and to support
the other preprocessors. If you are being subjected to
anti-NIDS attacks such as noise
generators that attempt to overwhelm Snort with a flood of
alert-inducing traffic, use:
# snort -z est ...
to limit alerts to known, established connections only. Several
preprocessors are available to defeat attempts to escape detection
during attacks on specific
protocols.
These often take the form of
path name or instruction
sequence mutations, and the preprocessors work to convert the input
streams into a canonical form that can be more readily recognized by
the pattern matching rules. Port scans are noticed by preprocessors
that watch a range of protocols over time.Finally, a variety of
output plugins can direct alerts to
databases, XML files, SNMP traps, a local Unix socket, or even
WinPopup messages on Windows workstations, using Samba. Many of these
features are experimental, or require special configuration options
when Snort is installed; consult the documentation in the source
distribution for details.
|
9.26.4 See Also
snort(8). The Snort home page is http://www.snort.org. The
Honeynet project's
web site, http://www.honeynet.org, contains a wealth of
information about network monitoring, including Snort. See
http://www.honeynet.org/papers/honeynet/tools/snort.conf
for a sample Snort configuration file.
