1 What are rules?

Security threats are always evolving. When you know the methods of an attacker, wouldn't it be nice to be able to alert when the method is reused? Wouldn't it be even better if you could share your knowledge of attack methods with your community? This is the concept behind Snort/Suricata rules. Rules are pluggable intelligence tidbits that are used to detect known threats in network traffic.

Suricata rules are the defacto method for sharing and matching threat intelligence against network traffic.

Take a look at the example Suricata rule below:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Fake Antivirus Download ws.exe"; flow:established,to_server; content:"GET"; http_method; content:"/install/ws.exe"; http_uri; nocase; r
eference:url,doc.emergingthreats.net/2010051; classtype:trojan-activity; sid:2010051; rev:4;)

This rule consists of a number of components:

• The networks and traffic type to match the signature against ("alert http $HOME_NET any -> $EXTERNAL_NET any")
• A message to accompany the alert ("msg:"ET TROJAN Likely Fake Antivirus Download ws.exe")
• HTTP, TCP state to match signature against (flow:established,to_server; content:"GET"; http_method;)

And the most important part:

• The intelligence "tidbits" that indicate the threat (content:"/install/ws.exe"; http_uri; nocase;)

2 What is Oinkmaster?

Oinkmaster is a tool for downloading and managing rules for Snort and Suricata.

3 Installing, configuring Oinkmaster

• Oinkmaster is in the default Ubuntu 14.04 APT repository
• Oinkmaster works for managing Snort, Suricata and Sagan

To install Oinkmaster:

# apt-get install oinkmaster

4 Configuraing Oinkmaster

4.1 Add Emerging Threats feed to Oinkmaster

• Oinkmaster's configuration is located in '/etc/oinkmaster.conf'

# editor /etc/oinkmaster.conf

• Find the "url" clauses in your oinkmaster.conf, and add the following line to enable the Emerging Threats ruleset

url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

4.2 Run Oinkmaster to test configuration

# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

• If everything works right, you should see output that looks like this:

Loading /etc/oinkmaster.conf
Downloading file from http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules... disablesid 0, enablesid 0, modifysid 0, localsid 0, total rules 21183
Setting up rules structures... done.
Comparing new files to the old ones... done.
Checking flowbits dependencies... problems found:

WARNING: SID 2017126 depends on flowbit "FlimKit.SWF.Redirect" which is set in INACTIVE SID 2017125 (SID 2017126 is broken unless you also enable SID 2017125).
WARNING: SID 2016785 depends on flowbit "ET.http.javaclient.SakuraPorts" which is not set in any rule
Updating local rules files... done.

[***] Results from Oinkmaster started 20150622 23:47:16 [***]

[+++]          Added rules:          [+++]

     -> Added to botcc.rules (1):
        alert ip $HOME_NET any -> [98.126.44.98] any (msg:"ET CNC Palevo Tracker Reported CnC Server group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,palevotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404204; rev:3885;)

4.3 Add Oinkmaster cronjob to automatically download rules

• Edit the crontab as root

# crontab -e 

• Add configuration to download rules every day at midnight

0 0 * * * oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules