Downloading and using latest snort rules
From Notes_Wiki
Downloading and using latest snort rules
- Download latest snort rules from https://www.snort.org/snort-rules/#registered Note that we cannot download subscriber release without becoming subscriber, but we can use registered user release by free registration. The subscriber rules are available for registered users with a months delay.
- Copy snortrules-snapshot-2905.tar.gz to folder named snortrules. Here 2905 means snort version 2.9 and ruleset version 05.
- Extract snortrules-snapshot-2905.tar.gz using 'tar xzf snortrules-snapshot-2905.tar.gz'
- rm -rf /etc/snort
- mkdir /etc/snort /etc/snort/rules /etc/snort/so_rules /etc/snort/preproc_rules
- Copy all files and directories from 'etc' folder to '/etc/snort'
- Copy all files and directories from 'rules' folder to '/etc/snort/rules'
- Copy all files and directories from 'so_rules' folder to '/etc/snort/so_rules'
- Copy all files and directories from 'preproc_rules' folder to '/etc/snort/preproc_rules'
- chown -R snort:snort /etc/snort
- Edit file '/etc/snort/snort.conf' and make changes to following lines
- ipvar HOME_NET [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
- ipvar EXTERNAL_NET any
- ipvar DNS_SERVERS [192.168.36.222,192.168.36.204,10.4.2.210,10.4.3.203]
- ipvar SMTP_SERVERS [10.4.2.200,10.4.2.202,10.4.2.250]
- ipvar HTTP_SERVERS [10.4.2.208]
- portvar HTTP_PORTS [80,3128,8080]
- var RULE_PATH /etc/snort/rules
- var SO_RULE_PATH /etc/snort/so_rules
- var PREPROC_RULE_PATH /etc/snort/preproc_rules
- Use 'service snort start'. It may take some time for snort to start.
- One can use 'tail -100 /var/log/messages | less' to see the detailed information on rules that got loaded.