README for arachNIDS Snort rules updater v0.3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

By?
~~~
Andreas stling, andreaso@it.su.se.
Feedback is of course appreciated.


Where?
~~~~~~
http://nitzer.dhs.org/arachnids_upd/



What?
~~~~~
A simple Perl script to update your arachNIDS Snort rules from www.whitehats.com
and filter out the unwanted rules.
It will also tell you what had changed since the last update.



Why?
~~~~
I want an easy way to update my Snort rules from arachNIDS and I know there are
plenty of the rules there I don't want to use for some reasons, but by default I
always want the new rules. I also want to know exactly what has been
added/removed/changed in the new ruleset.



Works?
~~~~~~
Yes, at least on my OpenBSD and Linux boxes.
It should work on most UNIX variants that have Perl and wget
(ftp://ftp.gnu.org/gnu/wget/).

I'm NOT responsible for what it does to your Snort machine.
Do NOT restart your Snort process(es) automatically (like in a cron job) after
running this script unless you're absolutely sure what you're doing.
Read the comments about that below.



How to install?
~~~~~~~~~~~~~~~
Check the INSTALL file.



How does it work?
~~~~~~~~~~~~~~~~~ 
It fetches the new arachNIDS Snort ruleset from a specified URL (or the
default, http://www.whitehats.com/ids/vision.rules.gz), #comments out the
unwanted rules and prints what have been added/removed/modified since the last
update. Unwanted rules are specified in the file arachnids.ignore.
arachnids_upd.pl should probably be run as the same user running Snort
(hopefully not root!). It exits with a non-zero status level if something
fails (and otherwise zero).  

For example, you always want to use the latest arachNIDS ruleset but you know
you never want this Traceroute rule:
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/Traceroute ICMP"; ttl: 1; itype: 8;) 
then you simply add its IDS number (118) to the file arachnids.ignore.
Next time the ruleset is updated, this rule will be #commented out.
To add more rules to be ignored you add their IDS numbers to the file 
arachnids.ignore, one number per line and only the number.

arachnids_upd.pl probably works best when using vision.rules (the file
containing only the rules) while including that file from Snort's main
configuration file. It should however also work with vision.conf 
( = rules + the Snort configuration headers.), but since I don't use that
myself I can't promise it always works as expected.
You probably shouldn't customize the vision.rules file manually since it will
be overwritten the next time you run this script (although you could of course
run the new ruleset through a sed filter o similar after each download if there
are some changes you always want to make).

If you don't want to #comment out any rules, the arachnids.ignore must still
exist (but be empty).

This script can be run manually but also as a cron job.
But of course, be very careful when running as a cron job. 
Grabbing the rules as a cron job might be a good idea, but also restarting Snort
automatically directly after that is a BAD idea! (no, actually it's a TERRIBLE idea)
You should never ever do this if you only run one Snort box, and don't
do it on all boxes if you have several. Automatic updating of Snort rules with
automatic Snort restart this way is very dangerous and can easily disable your NIDS.
And remember that there is no guarantee that you actually received the rules you
expected, and snort might not even start with the new ruleset.
Of course on a home network and similar not-so-important places, this might be neat.

Also be careful about which rules you disable/have disabled.
You should take a look at your disabled rules every now and then and reconsider
if you want to keep having them disabled, because they might have been updated
since you disabled them (always carefully watch the 'Rule changes since last update'
output!). If you disable a rule just because you think the rule is poorly written,
please try to improve it and share it with the world instead of just disabling it :)

Try ./arachnids_upd.pl -h for more usage information. 



Examples
~~~~~~~~

To see how it works, try this. First create an empty file called arachnids.ignore
if it doesn't already exist, and then run:
./arachnids_upd.pl -o vision.rules 

The file ./vision.rules will now be created if it doesn't exist.

Let's ignore IDS118 in future updates:
echo 118 >> arachnids.ignore

Pull down the new ruleset again:
./arachnids_upd.pl -o vision.rules

And you should see something like this:
Grabbing ruleset from http://www.whitehats.com/ids/vision.rules.gz.
17:53:11 URL:http://www.whitehats.com:80/ids/vision.rules.gz [12277/12277] -> "/tmp/vision.temp.909.gz" [1]
Disabled 1 out of 512 rules.
Rule changes since last update:
 
[--]  Removed (disabled): [-/-]
  #alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/Traceroute ICMP"; ttl: 1; itype: 8;)
 
Saving new ruleset: vision.rules.


The IDS118 rule is now disabled!
If a rule have changed you will se something like this:
 
[///]   Modified active:   [///]
  Old: alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS158/Ping ISS Pinger"; itype: 8; content: "ISSPNGRQ";)
  New: alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS158/Ping ISS Pinger"; itype: 8; content: "ISSPNGRQ"; depth: 32;)
 

Here is what the different changes mean:
o Added (new):
  - New rule (the IDS number did not exist in the old ruleset).
o Added (enabled):
  - The rule (with this IDS number) was commented in the old ruleset, but is
    now activated.
o Added (enabled) and modified:
  -  The rule (with this IDS number) was commented in the old ruleset, but
     is now activated. The actual rule had also been modified.
o Removed (deleted):
  - The rule (with this IDS number) does no longer exist in any way.
o Removed (disabled):
  - The rule (with this IDS number) still exists but have now been commented.
o Removed (disabled) and modified:
  - The rule (with this IDS number) still exists but have now been commented.
    The actual rule had also been modified.
o Modified active:
  - The rule (with this IDS number) have been modified and is an active rule.
o Modified inactive:
   -  The rule (with this IDS number) have been modified but is currently an
      inactive (commented) rule.

To automagically update /snort/vision.rules every night 02:30 and make backup
of the old vision.rules in /snort/backup/ sending difference between the
files to syslog, you could use something like this in your crontab:

30 2 * * * /snort/arachnids_upd.pl -o /snort/vision.rules -i /snort/arachnids.ignore -b /snort/backup 2>&1 | logger -t arachnids_upd 

When you check your syslog the next time and see that a new rule has been added
that you don't want, just add its IDS number to arachnids.ignore and it will
always be #commented out in future updates. 
(Or if a rule you have disabled have changed and you now decide that you want
to use it again, just remove its IDS number from arachnids.ignore and it will be activated
again in the next update)

It's really nice to use "-b <directory>" to make backups of the current rules file so
you can go back and see which rules you were using at a given time.
Using the "-b" flag is always strongly recommended.
