<PSA>Before I get to my blog posting, one of my friends is hoping to mentor SANS 508 in London. If you were thinking about taking it, please help her kickstart her teaching career and go to this one!</PSA>
HiddenIllusion pointed me to a snazzy repo of rules I can use for my NSM setup which I talked about in my previous post. This post talks about how to add these to your own server, which then propagates to the clients.
Let's do a test first just to prove this works (because let's face it, sometimes it doesn't).
1) Navigate to Applications > IDS Rules > Add Local Rules
2) Your local rules should now show up, lets create a simple test rule so we know that local rules are being used in the NSM:
# -- Test Local Rules
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Web Activity: TEST"; sid:10001; rev:1;)
I am not going to dive into writing SNORT rules too much here (its pretty much a course in an of itself) but there are tons of resources out there, including A Snort Cookbook. Basically this will alert when I have a tcp connection to an outside IP over port 80 (typical web traffic)
3) If you run pulled pork (Applications > IDS Rules > Rule Update) snort is automatically restarted for you. Else, you can go about it via the commandline:
sudo /usr/local/bin/pulledpork_update.sh4) Start SGUIL, we will choose only the remote machine (so you know I am not cheating!)
sudo nsm_sensor_ps-restart --only-snort-agent
1) Simply run pulled pork (see Step 3 above) to download the new rules. You can check the local.rules file to see that the file has indeed been updated. Now all I need to do is go to a website, let's go to www.google.com
TaDa! The alert has shown up in my SGUIL... obviously this is not a very good rule (unless you have disallowed internet usage) Now that you know it works you can remove that rule (unless you like false positives) and add more meaningful ones.
Side Note: Of course as I was writing this blog I found this on the SecurityOnion wiki... well at least now I know!
Dealing with Errors
Did you really think it would be that easy?! If you try importing new local rules sometimes you may get errors when you try to restart snort. A simple tail of the log file reveals the culprit.
In this case, I would remove the offending rule, searching by the signature id from the local.rule file (or simply comment it out). Unfortunately this is one of the drawbacks of importing rules, sometimes there are conflicts. Don't forget to update via pulledpork_update.sh on the clients then too!