Exploring the latest version of Snort
Typical Preprocessors
I've found that the following preprocessors are often specified in snort.conf
to make sure all traffic types are used on a network. To enable these preprocessors, uncomment them within the snort.conf
file:
preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6
These preprocessors make it possible for Snort and DAQ to modify packets as necessary in order to drop suspicious TCP traffic.
Using PulledPork to Update Rulesets
As you might suspect, Snort is only as good as its preprocessors and rules. As you might further expect, managing all of the new rules can be quite a challenge, especially because new forms of attacks are being dreamed up constantly. How do are you supposed to manage all of these rules?
The best way to manage rules (called "rulesets" by the official documentation) is by using the PulledPork application. Once called Baconator, PulledPork is capable of grabbing – or pulling – the latest rules from the Snort website. For those of you who have been using Oinkmaster for years, using PulledPork may require a bit of adjustment, but the simplified rule management is worth changing your ways.
See the box titled "Updates and PulledPork" for more on managing Snort rulesets.
Updates and PulledPork
PulledPork, once called Baconator, is the best way to manage Snort rulesets. For those of you who have been using Oinkmaster for years, PulledPork may require a bit of adjustment.
First, download PulledPork at one of the many repositories, including Google:
$ wget http://pulledpork.googlecode.com/svn/trunk/ pulledpork.pl
Then, make sure that pulledpork.pl
has at least 755 permissions:
/usr/local/bin$ sudo chmod 755 pulledpork.pl
To get PulledPork going, edit the /etc/pulledpork/pulledpork.conf
file to include the relevant entries. For example, if you want to always have "emerging threat" rules constantly updated on your Snort system, enter the following:
rule_url=https://www.snort.org/reg-rules/|\ snortrules-snapshot.tar.gz|<oinkcode>#
rule_url=https://rules.emergingthreats.net/|\ etpro.rules.tar.gz
If you are a subscriber, enter the following line at the end of the rule:
<et oinkcode>
Then, make sure cron is configured to run the PulledPork Perl script:
0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf \ -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules
You are now using PulledPork to include the most current updates.
More than Prettying Up the Pig?
Snort will always be something you can install on your Linux system independently of any Cisco hardware. Still, you know that Cisco is going to create a tight, compelling integration of Snort into all Cisco hardware.
Also, you're going to see more rules and plugins specific to NetFlow, Cisco's standard for traffic monitoring. That's a bit worrisome in a sense. For now, however, I am intrigued by Cisco's interest in enhancing the ability for network security professionals to analyze data.
When it comes to intrusion detection, the most significant focus areas are: prevention, detection, collection, and mitigation. Snort has shown over the past 15 years an unparalleled ability to gather and even detect a great many anomalies, yet it has not been strong in analysis. This latest version of Snort has taken a major step in this direction,
It's exciting to see the changes, including the new DAQ and Snort's improved IPS ability. Although it is possible to run Snort in pretty much the same way you always have, the new functionality promises to make Snort ready for a more analytical future.
I'm especially interested in Snort's improved ability to filter TCP-based traffic, including email traffic.
Infos
- Snort: https://www.snort.org/
- Snort Downloads: https://www.snort.org/downloads
- Libnet at Sourceforge: http://libdnet.sourceforge.net
- Rudix: https://code.google.com/p/rudix/downloads/detail?name=libdnet-1.12-0.pkg&can=2&q=
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs