Exploring the latest version of Snort
Typical Preprocessors
I've found that the following preprocessors are often specified in snort.conf
to make sure all traffic types are used on a network. To enable these preprocessors, uncomment them within the snort.conf
file:
preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6
These preprocessors make it possible for Snort and DAQ to modify packets as necessary in order to drop suspicious TCP traffic.
Using PulledPork to Update Rulesets
As you might suspect, Snort is only as good as its preprocessors and rules. As you might further expect, managing all of the new rules can be quite a challenge, especially because new forms of attacks are being dreamed up constantly. How do are you supposed to manage all of these rules?
The best way to manage rules (called "rulesets" by the official documentation) is by using the PulledPork application. Once called Baconator, PulledPork is capable of grabbing – or pulling – the latest rules from the Snort website. For those of you who have been using Oinkmaster for years, using PulledPork may require a bit of adjustment, but the simplified rule management is worth changing your ways.
See the box titled "Updates and PulledPork" for more on managing Snort rulesets.
Updates and PulledPork
PulledPork, once called Baconator, is the best way to manage Snort rulesets. For those of you who have been using Oinkmaster for years, PulledPork may require a bit of adjustment.
First, download PulledPork at one of the many repositories, including Google:
$ wget http://pulledpork.googlecode.com/svn/trunk/ pulledpork.pl
Then, make sure that pulledpork.pl
has at least 755 permissions:
/usr/local/bin$ sudo chmod 755 pulledpork.pl
To get PulledPork going, edit the /etc/pulledpork/pulledpork.conf
file to include the relevant entries. For example, if you want to always have "emerging threat" rules constantly updated on your Snort system, enter the following:
rule_url=https://www.snort.org/reg-rules/|\ snortrules-snapshot.tar.gz|<oinkcode>#
rule_url=https://rules.emergingthreats.net/|\ etpro.rules.tar.gz
If you are a subscriber, enter the following line at the end of the rule:
<et oinkcode>
Then, make sure cron is configured to run the PulledPork Perl script:
0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf \ -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules
You are now using PulledPork to include the most current updates.
More than Prettying Up the Pig?
Snort will always be something you can install on your Linux system independently of any Cisco hardware. Still, you know that Cisco is going to create a tight, compelling integration of Snort into all Cisco hardware.
Also, you're going to see more rules and plugins specific to NetFlow, Cisco's standard for traffic monitoring. That's a bit worrisome in a sense. For now, however, I am intrigued by Cisco's interest in enhancing the ability for network security professionals to analyze data.
When it comes to intrusion detection, the most significant focus areas are: prevention, detection, collection, and mitigation. Snort has shown over the past 15 years an unparalleled ability to gather and even detect a great many anomalies, yet it has not been strong in analysis. This latest version of Snort has taken a major step in this direction,
It's exciting to see the changes, including the new DAQ and Snort's improved IPS ability. Although it is possible to run Snort in pretty much the same way you always have, the new functionality promises to make Snort ready for a more analytical future.
I'm especially interested in Snort's improved ability to filter TCP-based traffic, including email traffic.
Infos
- Snort: https://www.snort.org/
- Snort Downloads: https://www.snort.org/downloads
- Libnet at Sourceforge: http://libdnet.sourceforge.net
- Rudix: https://code.google.com/p/rudix/downloads/detail?name=libdnet-1.12-0.pkg&can=2&q=
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
OpenMandriva Lx 23.03 Rolling Release is Now Available
OpenMandriva "ROME" is the latest point update for the rolling release Linux distribution and offers the latest updates for a number of important applications and tools.
-
CarbonOS: A New Linux Distro with a Focus on User Experience
CarbonOS is a brand new, built-from-scratch Linux distribution that uses the Gnome desktop and has a special feature that makes it appealing to all types of users.
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.