7.5 Keeping Things Up-to-Date

Periodically download the latest Snort rules from the Snort home page. This feature can be automated using various scripts or plug-ins available from the variety of tools available from the community. A popular choice is Oinkmaster, a series of Perl scripts that back up the old rules directory, download the latest, make configurable changes (even commenting out particular rules!), and generate a report on the changes in the new rules as compared to the old directory. Oinkmaster does a very nice job, but is not perfect. There are also some rule-management tools included with the Snort frontends IDSPolman (Chapter 12) and SnortCenter (Chapter 11). Or simply write your own Bash script to download the latest list on a nightly basis. However, many administrators do not believe in an auto-update process, as it can step on finely tuned rules and cause hours of work to be overwritten. While sometimes tedious, manually updating rule sets is the most accurate method of updating your rules.

The ability to control the changing of Snort rules is an important element of good intrusion detection. Any problem with a download or rule set from the main Snort repository can prevent Snort from starting correctly, as has happened in past rule updates. Manual downloads are the recommended method, though automated downloads are still available if the latest rule sets are required immediately.