Automatically Updating Snort Rules

121

tar  zxf snortrules.tar.gz

rm  f snortrules.tar.gz

# Make a backup copy of existing rules

mv $RULESDIR/*.rules $RULESDIRBAK

# Copy new rules to the location

mv /tmp/rules/*.rules $RULESDIR

Let us explore how this script works. The following lines simply set some vari 

ables.

RULESDIR=/etc/snort

RULESDIRBAK=/etc/snort/bak

WGETPATH=/usr/bin

RULESURI=http://www.snort.org/downloads/snortrules.tar.gz

The following three lines are used to go to /tmp directory, remove any existing

directory /tmp/rules and download the snortrules.tar.gz file from the URI

specified by the $RULESURI variable.

cd /tmp

rm  rf rules

$WGETPATH/wget $RULESURI

After downloading, you extract the rules files from snortrules.tar.gz file

and then delete it using the following two lines. The files extracted are placed in  /

tmp/rules directory. 

tar  zxf snortrules.tar.gz

rm  f snortrules.tar.gz

The following line makes a backup copy of existing rules files, just in case you

need the old copy later on.

mv $RULESDIR/*.rules $RULESDIRBAK

The last line in the script moves new rules from /tmp/rules directory to the

actual rules directory /etc/snort where Snort can read them.

mv /tmp/rules/*.rules $RULESDIR

Make sure to restart Snort after running this script. If you have a start script like

the one described in Chapter 2, you can add a line at the end of the shell script to restart

Snort.

/etc/init.d/snortd restart

You may also restart Snort using the command line.