You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by ce...@apache.org on 2016/03/08 16:25:16 UTC

incubator-metron git commit: METRON-57 Added Snort Community rules to the Snort deployment process. (nickwallen via cestella) closes apache/incubator-metron#34

Repository: incubator-metron
Updated Branches:
  refs/heads/master 2e9f2c6ce -> f2c82c68c


METRON-57 Added Snort Community rules to the Snort deployment process. (nickwallen via cestella) closes apache/incubator-metron#34


Project: http://git-wip-us.apache.org/repos/asf/incubator-metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-metron/commit/f2c82c68
Tree: http://git-wip-us.apache.org/repos/asf/incubator-metron/tree/f2c82c68
Diff: http://git-wip-us.apache.org/repos/asf/incubator-metron/diff/f2c82c68

Branch: refs/heads/master
Commit: f2c82c68c356e7d149468d8aa1a54498c012531f
Parents: 2e9f2c6
Author: nickwallen <ni...@nickallen.org>
Authored: Tue Mar 8 10:24:55 2016 -0500
Committer: cstella <ce...@gmail.com>
Committed: Tue Mar 8 10:24:55 2016 -0500

----------------------------------------------------------------------
 deployment/roles/snort/files/snort.conf         | 305 ++++++++++---------
 .../snort/files/snortrules-snapshot-2962.tar.gz | Bin 34687290 -> 0 bytes
 deployment/roles/snort/tasks/snort.yml          |  35 ++-
 3 files changed, 174 insertions(+), 166 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/f2c82c68/deployment/roles/snort/files/snort.conf
----------------------------------------------------------------------
diff --git a/deployment/roles/snort/files/snort.conf b/deployment/roles/snort/files/snort.conf
index 260d0a4..8a24e0c 100644
--- a/deployment/roles/snort/files/snort.conf
+++ b/deployment/roles/snort/files/snort.conf
@@ -531,125 +531,126 @@ include reference.config
 # NOTE: All categories are enabled in this conf file
 ###################################################
 
+include $RULE_PATH/community.rules
+
 # site specific rules
-#include $RULE_PATH/local.rules
-
-include $RULE_PATH/app-detect.rules
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/backdoor.rules
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/blacklist.rules
-include $RULE_PATH/botnet-cnc.rules
-include $RULE_PATH/browser-chrome.rules
-include $RULE_PATH/browser-firefox.rules
-include $RULE_PATH/browser-ie.rules
-include $RULE_PATH/browser-other.rules
-include $RULE_PATH/browser-plugins.rules
-include $RULE_PATH/browser-webkit.rules
-include $RULE_PATH/chat.rules
-include $RULE_PATH/content-replace.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/experimental.rules
-include $RULE_PATH/exploit-kit.rules
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/file-executable.rules
-include $RULE_PATH/file-flash.rules
-include $RULE_PATH/file-identify.rules
-include $RULE_PATH/file-image.rules
-include $RULE_PATH/file-java.rules
-include $RULE_PATH/file-multimedia.rules
-include $RULE_PATH/file-office.rules
-include $RULE_PATH/file-other.rules
-include $RULE_PATH/file-pdf.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/icmp-info.rules
-include $RULE_PATH/icmp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/indicator-compromise.rules
-include $RULE_PATH/indicator-obfuscation.rules
-include $RULE_PATH/indicator-scan.rules
-include $RULE_PATH/indicator-shellcode.rules
-include $RULE_PATH/info.rules
-include $RULE_PATH/malware-backdoor.rules
-include $RULE_PATH/malware-cnc.rules
-include $RULE_PATH/malware-other.rules
-include $RULE_PATH/malware-tools.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/multimedia.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/os-linux.rules
-include $RULE_PATH/os-mobile.rules
-include $RULE_PATH/os-other.rules
-include $RULE_PATH/os-solaris.rules
-include $RULE_PATH/os-windows.rules
-include $RULE_PATH/other-ids.rules
-include $RULE_PATH/p2p.rules
-include $RULE_PATH/phishing-spam.rules
-include $RULE_PATH/policy-multimedia.rules
-include $RULE_PATH/policy-other.rules
-include $RULE_PATH/policy.rules
-include $RULE_PATH/policy-social.rules
-include $RULE_PATH/policy-spam.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
-include $RULE_PATH/protocol-dns.rules
-include $RULE_PATH/protocol-finger.rules
-include $RULE_PATH/protocol-ftp.rules
-include $RULE_PATH/protocol-icmp.rules
-include $RULE_PATH/protocol-imap.rules
-include $RULE_PATH/protocol-nntp.rules
-include $RULE_PATH/protocol-other.rules
-include $RULE_PATH/protocol-pop.rules
-include $RULE_PATH/protocol-rpc.rules
-include $RULE_PATH/protocol-scada.rules
-include $RULE_PATH/protocol-services.rules
-include $RULE_PATH/protocol-snmp.rules
-include $RULE_PATH/protocol-telnet.rules
-include $RULE_PATH/protocol-tftp.rules
-include $RULE_PATH/protocol-voip.rules
-include $RULE_PATH/pua-adware.rules
-include $RULE_PATH/pua-other.rules
-include $RULE_PATH/pua-p2p.rules
-include $RULE_PATH/pua-toolbars.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/scada.rules
-include $RULE_PATH/scan.rules
-include $RULE_PATH/server-apache.rules
-include $RULE_PATH/server-iis.rules
-include $RULE_PATH/server-mail.rules
-include $RULE_PATH/server-mssql.rules
-include $RULE_PATH/server-mysql.rules
-include $RULE_PATH/server-oracle.rules
-include $RULE_PATH/server-other.rules
-include $RULE_PATH/server-samba.rules
-include $RULE_PATH/server-webapp.rules
-include $RULE_PATH/shellcode.rules
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/snmp.rules
-include $RULE_PATH/specific-threats.rules
-include $RULE_PATH/spyware-put.rules
-include $RULE_PATH/sql.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/tftp.rules
-include $RULE_PATH/virus.rules
-include $RULE_PATH/voip.rules
-include $RULE_PATH/web-activex.rules
-include $RULE_PATH/web-attacks.rules
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-php.rules
-include $RULE_PATH/x11.rules
+# include $RULE_PATH/local.rules
+# include $RULE_PATH/app-detect.rules
+# include $RULE_PATH/attack-responses.rules
+# include $RULE_PATH/backdoor.rules
+# include $RULE_PATH/bad-traffic.rules
+# include $RULE_PATH/blacklist.rules
+# include $RULE_PATH/botnet-cnc.rules
+# include $RULE_PATH/browser-chrome.rules
+# include $RULE_PATH/browser-firefox.rules
+# include $RULE_PATH/browser-ie.rules
+# include $RULE_PATH/browser-other.rules
+# include $RULE_PATH/browser-plugins.rules
+# include $RULE_PATH/browser-webkit.rules
+# include $RULE_PATH/chat.rules
+# include $RULE_PATH/content-replace.rules
+# include $RULE_PATH/ddos.rules
+# include $RULE_PATH/dns.rules
+# include $RULE_PATH/dos.rules
+# include $RULE_PATH/experimental.rules
+# include $RULE_PATH/exploit-kit.rules
+# include $RULE_PATH/exploit.rules
+# include $RULE_PATH/file-executable.rules
+# include $RULE_PATH/file-flash.rules
+# include $RULE_PATH/file-identify.rules
+# include $RULE_PATH/file-image.rules
+# include $RULE_PATH/file-java.rules
+# include $RULE_PATH/file-multimedia.rules
+# include $RULE_PATH/file-office.rules
+# include $RULE_PATH/file-other.rules
+# include $RULE_PATH/file-pdf.rules
+# include $RULE_PATH/finger.rules
+# include $RULE_PATH/ftp.rules
+# include $RULE_PATH/icmp-info.rules
+# include $RULE_PATH/icmp.rules
+# include $RULE_PATH/imap.rules
+# include $RULE_PATH/indicator-compromise.rules
+# include $RULE_PATH/indicator-obfuscation.rules
+# include $RULE_PATH/indicator-scan.rules
+# include $RULE_PATH/indicator-shellcode.rules
+# include $RULE_PATH/info.rules
+# include $RULE_PATH/malware-backdoor.rules
+# include $RULE_PATH/malware-cnc.rules
+# include $RULE_PATH/malware-other.rules
+# include $RULE_PATH/malware-tools.rules
+# include $RULE_PATH/misc.rules
+# include $RULE_PATH/multimedia.rules
+# include $RULE_PATH/mysql.rules
+# include $RULE_PATH/netbios.rules
+# include $RULE_PATH/nntp.rules
+# include $RULE_PATH/oracle.rules
+# include $RULE_PATH/os-linux.rules
+# include $RULE_PATH/os-mobile.rules
+# include $RULE_PATH/os-other.rules
+# include $RULE_PATH/os-solaris.rules
+# include $RULE_PATH/os-windows.rules
+# include $RULE_PATH/other-ids.rules
+# include $RULE_PATH/p2p.rules
+# include $RULE_PATH/phishing-spam.rules
+# include $RULE_PATH/policy-multimedia.rules
+# include $RULE_PATH/policy-other.rules
+# include $RULE_PATH/policy.rules
+# include $RULE_PATH/policy-social.rules
+# include $RULE_PATH/policy-spam.rules
+# include $RULE_PATH/pop2.rules
+# include $RULE_PATH/pop3.rules
+# include $RULE_PATH/protocol-dns.rules
+# include $RULE_PATH/protocol-finger.rules
+# include $RULE_PATH/protocol-ftp.rules
+# include $RULE_PATH/protocol-icmp.rules
+# include $RULE_PATH/protocol-imap.rules
+# include $RULE_PATH/protocol-nntp.rules
+# include $RULE_PATH/protocol-other.rules
+# include $RULE_PATH/protocol-pop.rules
+# include $RULE_PATH/protocol-rpc.rules
+# include $RULE_PATH/protocol-scada.rules
+# include $RULE_PATH/protocol-services.rules
+# include $RULE_PATH/protocol-snmp.rules
+# include $RULE_PATH/protocol-telnet.rules
+# include $RULE_PATH/protocol-tftp.rules
+# include $RULE_PATH/protocol-voip.rules
+# include $RULE_PATH/pua-adware.rules
+# include $RULE_PATH/pua-other.rules
+# include $RULE_PATH/pua-p2p.rules
+# include $RULE_PATH/pua-toolbars.rules
+# include $RULE_PATH/rpc.rules
+# include $RULE_PATH/rservices.rules
+# include $RULE_PATH/scada.rules
+# include $RULE_PATH/scan.rules
+# include $RULE_PATH/server-apache.rules
+# include $RULE_PATH/server-iis.rules
+# include $RULE_PATH/server-mail.rules
+# include $RULE_PATH/server-mssql.rules
+# include $RULE_PATH/server-mysql.rules
+# include $RULE_PATH/server-oracle.rules
+# include $RULE_PATH/server-other.rules
+# include $RULE_PATH/server-samba.rules
+# include $RULE_PATH/server-webapp.rules
+# include $RULE_PATH/shellcode.rules
+# include $RULE_PATH/smtp.rules
+# include $RULE_PATH/snmp.rules
+# include $RULE_PATH/specific-threats.rules
+# include $RULE_PATH/spyware-put.rules
+# include $RULE_PATH/sql.rules
+# include $RULE_PATH/telnet.rules
+# include $RULE_PATH/tftp.rules
+# include $RULE_PATH/virus.rules
+# include $RULE_PATH/voip.rules
+# include $RULE_PATH/web-activex.rules
+# include $RULE_PATH/web-attacks.rules
+# include $RULE_PATH/web-cgi.rules
+# include $RULE_PATH/web-client.rules
+# include $RULE_PATH/web-coldfusion.rules
+# include $RULE_PATH/web-frontpage.rules
+# include $RULE_PATH/web-iis.rules
+# include $RULE_PATH/web-misc.rules
+# include $RULE_PATH/web-php.rules
+# include $RULE_PATH/x11.rules
 
 ###################################################
 # Step #8: Customize your preprocessor and decoder alerts
@@ -657,9 +658,9 @@ include $RULE_PATH/x11.rules
 ###################################################
 
 # decoder and preprocessor event rules
-include $PREPROC_RULE_PATH/preprocessor.rules
-include $PREPROC_RULE_PATH/decoder.rules
-include $PREPROC_RULE_PATH/sensitive-data.rules
+# include $PREPROC_RULE_PATH/preprocessor.rules
+# include $PREPROC_RULE_PATH/decoder.rules
+# include $PREPROC_RULE_PATH/sensitive-data.rules
 
 ###################################################
 # Step #9: Customize your Shared Object Snort Rules
@@ -667,37 +668,37 @@ include $PREPROC_RULE_PATH/sensitive-data.rules
 ###################################################
 
 # dynamic library rules
-include $SO_RULE_PATH/browser-ie.rules
-include $SO_RULE_PATH/browser-other.rules
-include $SO_RULE_PATH/exploit-kit.rules
-include $SO_RULE_PATH/file-flash.rules
-include $SO_RULE_PATH/file-image.rules
-include $SO_RULE_PATH/file-java.rules
-include $SO_RULE_PATH/file-multimedia.rules
-include $SO_RULE_PATH/file-office.rules
-include $SO_RULE_PATH/file-other.rules
-include $SO_RULE_PATH/file-pdf.rules
-include $SO_RULE_PATH/indicator-shellcode.rules
-include $SO_RULE_PATH/malware-cnc.rules
-include $SO_RULE_PATH/malware-other.rules
-include $SO_RULE_PATH/netbios.rules
-include $SO_RULE_PATH/os-linux.rules
-include $SO_RULE_PATH/os-other.rules
-include $SO_RULE_PATH/os-windows.rules
-include $SO_RULE_PATH/policy-social.rules
-include $SO_RULE_PATH/protocol-dns.rules
-include $SO_RULE_PATH/protocol-nntp.rules
-include $SO_RULE_PATH/protocol-other.rules
-include $SO_RULE_PATH/protocol-snmp.rules
-include $SO_RULE_PATH/protocol-voip.rules
-include $SO_RULE_PATH/pua-p2p.rules
-include $SO_RULE_PATH/server-apache.rules
-include $SO_RULE_PATH/server-iis.rules
-include $SO_RULE_PATH/server-mail.rules
-include $SO_RULE_PATH/server-mysql.rules
-include $SO_RULE_PATH/server-oracle.rules
-include $SO_RULE_PATH/server-other.rules
-include $SO_RULE_PATH/server-webapp.rules
+# include $SO_RULE_PATH/browser-ie.rules
+# include $SO_RULE_PATH/browser-other.rules
+# include $SO_RULE_PATH/exploit-kit.rules
+# include $SO_RULE_PATH/file-flash.rules
+# include $SO_RULE_PATH/file-image.rules
+# include $SO_RULE_PATH/file-java.rules
+# include $SO_RULE_PATH/file-multimedia.rules
+# include $SO_RULE_PATH/file-office.rules
+# include $SO_RULE_PATH/file-other.rules
+# include $SO_RULE_PATH/file-pdf.rules
+# include $SO_RULE_PATH/indicator-shellcode.rules
+# include $SO_RULE_PATH/malware-cnc.rules
+# include $SO_RULE_PATH/malware-other.rules
+# include $SO_RULE_PATH/netbios.rules
+# include $SO_RULE_PATH/os-linux.rules
+# include $SO_RULE_PATH/os-other.rules
+# include $SO_RULE_PATH/os-windows.rules
+# include $SO_RULE_PATH/policy-social.rules
+# include $SO_RULE_PATH/protocol-dns.rules
+# include $SO_RULE_PATH/protocol-nntp.rules
+# include $SO_RULE_PATH/protocol-other.rules
+# include $SO_RULE_PATH/protocol-snmp.rules
+# include $SO_RULE_PATH/protocol-voip.rules
+# include $SO_RULE_PATH/pua-p2p.rules
+# include $SO_RULE_PATH/server-apache.rules
+# include $SO_RULE_PATH/server-iis.rules
+# include $SO_RULE_PATH/server-mail.rules
+# include $SO_RULE_PATH/server-mysql.rules
+# include $SO_RULE_PATH/server-oracle.rules
+# include $SO_RULE_PATH/server-other.rules
+# include $SO_RULE_PATH/server-webapp.rules
 
 # legacy dynamic library rule files
 # include $SO_RULE_PATH/bad-traffic.rules

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/f2c82c68/deployment/roles/snort/files/snortrules-snapshot-2962.tar.gz
----------------------------------------------------------------------
diff --git a/deployment/roles/snort/files/snortrules-snapshot-2962.tar.gz b/deployment/roles/snort/files/snortrules-snapshot-2962.tar.gz
deleted file mode 100644
index 6b0af89..0000000
Binary files a/deployment/roles/snort/files/snortrules-snapshot-2962.tar.gz and /dev/null differ

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/f2c82c68/deployment/roles/snort/tasks/snort.yml
----------------------------------------------------------------------
diff --git a/deployment/roles/snort/tasks/snort.yml b/deployment/roles/snort/tasks/snort.yml
index b3d6810..c08bc93 100644
--- a/deployment/roles/snort/tasks/snort.yml
+++ b/deployment/roles/snort/tasks/snort.yml
@@ -57,36 +57,40 @@
 - name: Install snort
   yum: name=/root/rpmbuild/RPMS/x86_64/snort-{{ snort_version }}.x86_64.rpm
 
-#
-# TODO download latest rules from snort website - requires credentials
-#
-- name: Download snort rules
+- name: Download snort community rules
+  get_url:
+    url: "https://www.snort.org/downloads/community/community-rules.tar.gz"
+    dest: "/tmp/community-rules.tar.gz"
+
+- name: Extract tarball
   unarchive:
-    src: snortrules-snapshot-2962.tar.gz
+    src: "/tmp/community-rules.tar.gz"
     dest: /tmp
-    creates: /tmp/snortrules-snapshot-2962.tar.gz
+    copy: no
+    creates: "/tmp/community-rules"
 
 - name: Install snort rules
   shell: "{{ item }}"
   args:
     chdir: /tmp
   with_items:
-    - cp -r etc/* /etc/snort/
-    - cp -r rules /etc/snort/
-    - cp -r so_rules /etc/snort/
-    - cp -r preproc_rules /etc/snort/
+    - cp -r community-rules/community.rules /etc/snort/rules
     - touch /etc/snort/rules/white_list.rules
     - touch /etc/snort/rules/black_list.rules
     - touch /var/log/snort/alerts
     - chown -R snort:snort /etc/snort
 
+- name: Uncomment all snort community rules
+  shell: sed -i 's/^# alert/alert/' /etc/snort/rules/community.rules
+
 - name: Download snort configuration
   copy: src=snort.conf dest=/etc/snort/snort.conf
 
 - name: Configure network
-  lineinfile: dest=/etc/snort/snort.conf regexp="{{ item.regexp }}" line="{{ item.line }}"
-  with_items:
-    - { regexp: "^ipvar HOME_NET.*$", line: "ipvar HOME_NET {{ ansible_eth0.ipv4.address }}" }
+  lineinfile:
+    dest: /etc/snort/snort.conf
+    regexp: "^ipvar HOME_NET.*$"
+    line: "ipvar HOME_NET {{ ansible_eth0.ipv4.address }}"
 
 - name: Configure alerting
   lineinfile:
@@ -94,7 +98,10 @@
     line: "output alert_csv: {{ snort_alert_csv_path }} default"
 
 - name: Configure sysconfig
-  lineinfile: dest=/etc/sysconfig/snort regexp="{{ item.regexp }}" line="{{ item.line }}"
+  lineinfile:
+    dest: /etc/sysconfig/snort
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
   with_items:
     - { regexp: "^ALERTMODE=.*$",     line: "ALERTMODE=" }
     - { regexp: "^NO_PACKET_LOG=.*$", line: "NO_PACKET_LOG=1" }