1 What are rules?

Security threats are always evolving. When you know the methods of an attacker, wouldn't it be nice to be able to alert when the method is reused? Wouldn't it be even better if you could share your knowledge of attack methods with your community? This is the concept behind Snort/Suricata rules. Rules are pluggable intelligence tidbits that are used to detect known threats in network traffic.

Suricata rules are the defacto method for sharing and matching threat intelligence against network traffic.

Take a look at the example Suricata rule below:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Fake Antivirus Download ws.exe"; flow:established,to_server; content:"GET"; http_method; content:"/install/ws.exe"; http_uri; nocase; r
eference:url,doc.emergingthreats.net/2010051; classtype:trojan-activity; sid:2010051; rev:4;)

This rule consists of a number of components:

And the most important part:

2 What is Oinkmaster?

Oinkmaster is a tool for downloading and managing rules for Snort and Suricata.

3 Installing, configuring Oinkmaster

To install Oinkmaster:

# apt-get install oinkmaster

4 Configuraing Oinkmaster

4.1 Add Emerging Threats feed to Oinkmaster

# editor /etc/oinkmaster.conf
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

4.2 Run Oinkmaster to test configuration

# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Loading /etc/oinkmaster.conf
Downloading file from http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules... disablesid 0, enablesid 0, modifysid 0, localsid 0, total rules 21183
Setting up rules structures... done.
Comparing new files to the old ones... done.
Checking flowbits dependencies... problems found:

WARNING: SID 2017126 depends on flowbit "FlimKit.SWF.Redirect" which is set in INACTIVE SID 2017125 (SID 2017126 is broken unless you also enable SID 2017125).
WARNING: SID 2016785 depends on flowbit "ET.http.javaclient.SakuraPorts" which is not set in any rule
Updating local rules files... done.

[***] Results from Oinkmaster started 20150622 23:47:16 [***]

[+++]          Added rules:          [+++]

     -> Added to botcc.rules (1):
        alert ip $HOME_NET any -> [] any (msg:"ET CNC Palevo Tracker Reported CnC Server group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,palevotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404204; rev:3885;)

4.3 Add Oinkmaster cronjob to automatically download rules

# crontab -e 
0 0 * * * oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules