RE: Now that I have my oink code

[Paul Schmehl <pauls () utdallas edu>]

--On Wednesday, March 09, 2005 10:48:44 AM -0800 Snortty 
<cwcwcwg () yahoo com> wrote:

> How did you figure out the IP of the snort NATting to
> outbound?
Here's what I did:

I wrote a shell script on an Internet-facing box.  It's croned to run every 
night at 10PM.  It fetches the rules file and puts it in (IP-restricted, 
access restricted, non-linked) directory on our web server.  The IP of that 
box is fixed and never changes.

I then edited the oinkmaster.conf file to point to that location to fetch 
the rules files every night at 11PM.  (I also changed the name of the file 
to snortrules.tar.gz.  That way I only have to edit the shell script when 
the filename changes at snort.org.  Oinkmaster always looks for 
snortrules.tar.gz.)

Note: if you're going to do this, you need to use very tight restrictions 
on who/what can access the file.  Use a firewall or .htaccess rules to 
restrict the access to the one IP where oinkmaster lives.

Here's an example .htaccess file:
SetEnvIf X-Cluster-Client-Ip "(192\.168\.1\.12).*$" permitted
<LIMIT GET>
order deny,allow
deny from all
allow from env=permitted
</LIMIT>

If you have multiple snort boxes that need to fetch the rules, just use an 
OR ("|") in the SetEnvIf statement (e.g. 
"(192\.168\.1\.12|192\.168\.1\.13).*$"

With this .htaccess file in place, the only host that can access the file 
from the web (or using wget or ftp) is 192.168.1.12.  NOTE: if you do not 
restrict access to this file, you will almost certainly be in violation of 
Sourcefire's license agreement.

Here's the shell script:

#!/bin/sh
# This script downloads the snort rules to a (configurable) local directory.
# Oinkmaster on buttercup2 then fetches them from that directory, so if you
# change the local directory or the filename, you have to edit the "url" 
option
# in the config file for oinkmaster or rules updating will be broken
# When the file is downloaded, we rename it snortrules.tar.gz so that the
# oinkmaster.conf file never has to be edited when the rules change

WGET="/usr/local/bin/wget"
CHMOD="/usr/bin/chmod"
RULES="snortrules-snapshot-{your version}.tar.gz"
FILE="snortrules.tar.gz"
RULESDIR="/path/to/your/local/dir"
OINKCODE="put your oink code here"
URL="http://www.snort.org/pub-bin/oinkmaster.cgi/$OINKCODE/$RULES";

${WGET} -qr -O $RULESDIR/$FILE $URL
${CHMOD} 664 $RULESDIR/$FILE

> That could be my prolems for d.l new rules after
> having regitered, and got Oink Code by entering my
> snort box IP (internal IP), it shows errors:
>
> Connecting to 192.168.103.x:8000... connected.
> Proxy request sent, awaiting response... 403 You must
> be a registered user with a valid oink code to
> download this file from your IP Address
> 18:32:37 ERROR 403: You must be a registered user with
> a valid oink code to download this file from your IP
> Address.
> -------------------------
> where 192.168.103.x is our proxy IP.
The registration instructions specifically excluded RFC 1918 addresses. 
You must use an "internet" address.

> Also, I'm running snort v2.1.2, which latest rules
> should work for my snort, and file name to d.l?
snortrules-snapshot-2.1.tar.gz

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users