Updating snort rules
A comparison is commonly made between signature-based IDS and antivirus software.
At the time of this writing, there is no version control enabled.
On each of our packet decoders, we created a Snort folder in the parsers directory which will store our rules files and file.
So, after the new netbios rules go out (in the next few days, according to Snort.org), the number of MS08-067 rules will be reduced to 2.
For instance, the old netbios rule file: # wc -l netbios.rules 5828 netbios.rules The new: # wc -l netbios.rules 122 netbios.rules So this is great!
Snort is a signature-based intrusion detection system.
While the preprocessors do not rely on signatures to generate alerts on potential malicious traffic, the heart of Snort's ability to detect intrusion is the catalog of signatures located in the rules files.
We over at Sourcefire (yes, I work for Sourcefire in case you don't know by now!
) have been putting the word out for a couple months now about the Snort 2.8.4 upgrade, how it's very important, and you need to go upgrade now. For awhile now, a lot of netbios flow tracking has been done with our rules language.
For each .rules file you wish to distribute, you'll have to add a similar block of code as Puppet doesn't play well with wildcards.
Since Puppet runs every half hour or so, we wait an hour before running a script to reload the parsers.
However, the warning about this is, VRT is no longer providing the "old" method of rule updates to netbios vulnerabilities.