README for arachNIDS Snort ruleset updater 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 


By?
~~~
Andreas stling, andreaso@it.su.se.


Where?
~~~~~~
http://nitzer.dhs.org/arachnids_upd/


What?
~~~~~
A simple Perl script to update your arachNIDS Snort rules from www.whitehats.com
and filter out the unwanted rules.
Can be run automagically as a cron job. 


Why?
~~~~
I wanted an easy way to update my Snort rules from arachNIDS and I know there are
plenty of the rules there I don't want to use, but by default I always want the
new rules.


Works?
~~~~~~
Yes, at least on my OpenBSD and Linux boxes.
It should work on most UNIX variants, and requires wget
(ftp://ftp.gnu.org/gnu/wget/).


How?
~~~~
It fetches the new arachNIDS Snort ruleset from a specified URL (or the
default, http://www.whitehats.com/ids/vision.rules), #comments out the
unwanted rules and tells what have been added/removed (it runs a diff on the
new and the old ruleset). The lines beginning with > means that they have
been added to the new ruleset, and the lines beginning with < means that 
they have been removed. Unwanted rules are specified in the file
arachnids.ignore.

For example, you always want to use the latest arachNIDS ruleset but you know
you never want this Traceroute rule:
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/Traceroute ICMP"; ttl: 1; itype: 8;) 
then you simply add its IDS number (118) to the file arachnids.ignore.
Next time the ruleset is updated, this rule will be #commented out.
To add more rules to be ignored you add the IDS numbers to the file 
arachnids.ignore, one number per line.

The URL to get the ruleset from can be specified using -u <URL> because 
Snort boxes aren't always able to contact the evil Internet. 
This way you can download the ruleset to another host on your network and
then download the ruleset to the Snort machine from that host, assuming
the Snort machine can connect to that host. 
You could of course also run the script on another host, and then copy
the new ruleset to the Snort host from there.

This script could be run manually but also as a cron job. 
To be useful while running as a cron job you should obviously have Snort 
read the new rules file after the update. This script does not do this for you.

arachnids_upd.pl probably works best when using vision.rules (the file
containing only the rules) and then include that file from the Snort main
configuration file. It does however also work with vision.conf (= rules + the Snort
configuration headers.)

If you don't want to #comment out any rules, the arachnids.ignore must still
exist (but be empty).

And of course, be careful when running as a cron job. 
Automatic updating of the Snort rules can always be dangerous.
Also be careful about which rules you have disabled.

Try ./arachnids_upd.pl -h for more usage information. 



Examples
~~~~~~~~

To see how it works - try this. First create an empy arachnids.ignore if
it doesn't already exist, and then run:
./arachnids_upd.pl -o vision.rules 
The file ./vision.rules will now be created if it doesn't exist.
Let's ignore IDS118 in future updates:
echo 118 >> arachnids.ignore
Update again:
./arachnids_upd.pl -o vision.rules
And you should see something like this:

Executing: wget -nv -O /tmp/vision.temp.3497 http://www.whitehats.com/idsvision.rules
18:21:20 URL:http://www.whitehats.com:80/ids/vision.rules [56844/56844] -> "/tmp/vision.temp.3497" [1]
Disabled 1 out of 475 rules.
##### Diff output: #####
< alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/Traceroute ICMP"; ttl: 1; itype: 8;)
---
> #alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/Traceroute ICMP"; ttl: 1; itype: 8;)
## End of diff output ##

The IDS118 rule is now disabled!

To automagically update /snort/vision.rules every night 02:30 and make backup
of the old vision.rules, sending differences between the files to syslog, you
could use something like this in your crontab:

30 2 * * * /snort/arachnids_upd.pl -o /snort/vision.rules -i /snort/arachnids.ignore -b 2>&1 |logger -t arachnids_upd 

When you check your syslog the next day and see that a new rule has been added
which you don't want, just add its IDS number to arachnids.ignore and it will
always be #commented out in future updates.
