#!/usr/local/bin/bash



killall snort
killall snortsam



echo downloading snort.org pr public release  rules

cd /usr/local/etc/snort


# download snort.org rules
rm snortrules-snapshot-2.8.tar.gz
wget -O snortrules-snapshot-2.8.tar.gz -U wtf 'http://www.snort.org/pub-bin/oinkmaster.cgi/e0b349fe187b863a9556f95fd5c589392df9369b/snortrules-snapshot-2.8.tar.gz'
tar -xvf snortrules-snapshot-2.8.tar.gz

# download emergingthreats rules
rm emerging.rules.tar.gz
wget -O emerging.rules.tar.gz http://www.emergingthreats.net/rules/emerging.rules.tar.gz
tar -xvf emerging.rules.tar.gz

# remove unwanted rulesets
rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules
rm /usr/local/etc/snort/rules/finger.rules
rm /usr/local/etc/snort/rules/imap.rules
rm /usr/local/etc/snort/rules/info.rules
rm /usr/local/etc/snort/rules/local.rules
rm /usr/local/etc/snort/rules/multimedia.rules

rm /usr/local/etc/snort/rules/policy.rules
rm /usr/local/etc/snort/rules/voip.rules
rm /usr/local/etc/snort/rules/web-activex.rules
rm /usr/local/etc/snort/rules/web-attacks.rules
rm /usr/local/etc/snort/rules/x11.rules

rm /usr/local/etc/snort/rules/multimedia.rules
rm /usr/local/etc/snort/rules/icmp-info.rules
rm /usr/local/etc/snort/rules/icmp.rules
rm /usr/local/etc/snort/rules/chat.rules
rm /usr/local/etc/snort/rules/ftp.rules
rm /usr/local/etc/snort/rules/p2p.rules
rm /usr/local/etc/snort/rules/emerging-p2p.rules
rm /usr/local/etc/snort/rules/emerging-scan.rules
rm /usr/local/etc/snort/rules/scan.rules
rm /usr/local/etc/snort/rules/netbios.rules
rm /usr/local/etc/snort/rules/porn.rules

# copy template
cp /usr/local/etc/snort/snort.conf.template /usr/local/etc/snort/snort.conf
# include all rules files in ./rules ..
for i in `ls /usr/local/etc/snort/rules/*.rules` ; do echo include $i ; done >> snort.conf


# remove unwanted sigs ...
egrep -v "(fast_pattern)" /usr/local/etc/snort/rules/spyware-put.rules > tmp
mv tmp /usr/local/etc/snort/rules/spyware-put.rules 
egrep -v "(DNS SPOOF|DNS TCP inv)" /usr/local/etc/snort/rules/dns.rules > tmp 
mv tmp /usr/local/etc/snort/rules/dns.rules
egrep -v "(http_header)" /usr/local/etc/snort/rules/web-misc.rules > tmp 
mv tmp /usr/local/etc/snort/rules/web-misc.rules
egrep -v "(http_header)" /usr/local/etc/snort/rules/emerging-web_specific_apps.rules > tmp 
mv tmp /usr/local/etc/snort/rules/emerging-web_specific_apps.rules
egrep -v "(disclosure|nc.exe|robots|Invalid HTTP Version String|traversal)" /usr/local/etc/snort/rules/web-misc.rules > tmp 
mv tmp /usr/local/etc/snort/rules/web-misc.rules
egrep -v "(UPnP mal)" /usr/local/etc/snort/rules/misc.rules > tmp 
mv tmp /usr/local/etc/snort/rules/misc.rules 
egrep -v "(403)" /usr/local/etc/snort/rules/attack-responses.rules > tmp 
mv tmp /usr/local/etc/snort/rules/attack-responses.rules
egrep -v "http_method" /usr/local/etc/snort/rules/specific-threats.rules > tmp 
mv tmp /usr/local/etc/snort/rules/specific-threats.rules
egrep -v "http_header" /usr/local/etc/snort/rules/backdoor.rules > tmp 
mv tmp /usr/local/etc/snort/rules/backdoor.rules 
egrep -v "fast_pattern" /usr/local/etc/snort/rules/exploit.rules > tmp 
mv tmp /usr/local/etc/snort/rules/exploit.rules 
egrep -v "fast_pattern" /usr/local/etc/snort/rules/web-client.rules > tmp 
mv tmp /usr/local/etc/snort/rules/web-client.rules









# supress
echo suppress gen_id 125, sig_id 2  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 560  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 125, sig_id 7  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 560  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 119, sig_id 4  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001682  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2003099  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000419  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001331  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1067  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1066  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 119, sig_id 15  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 560  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1062  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 20064022  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2404021  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2006380  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2006402  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1852  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 111, sig_id 4  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001805  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001669  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 122, sig_id 3  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001669  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 201  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000369  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000355  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000356  >> /usr/local/etc/snort/snort.conf

echo suppress gen_id 1, sig_id 31534  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1201  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 122, sig_id 4  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001980  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 31534  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001984  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 13819  >> /usr/local/etc/snort/snort.conf


echo suppress gen_id 1, sig_id 3153  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1212  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001972  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2002973  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2525048  >> /usr/local/etc/snort/snort.conf

echo suppress gen_id 1, sig_id 2181  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 3825  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 116, sig_id 54  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 116, sig_id 58  >> /usr/local/etc/snort/snort.conf


echo suppress gen_id 1, sig_id 969  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2009030  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000357  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 13901 >> /usr/local/etc/snort/snort.conf

# IRC blocks 
echo suppress gen_id 1, sig_id 2404022  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2404022 >> /usr/local/etc/snort/snort.conf

# new triggers on port 21 for ET
echo suppress gen_id 125, sig_id 1  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001329 >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2002997 >> /usr/local/etc/snort/snort.conf


# PULL OUT SOME COMMON SIGS
for i in `ls /usr/local/etc/snort/rules/*.rules` 
do 
egrep -v "MSN|AOL|AIM" $i > $i.tmp
mv $i.tmp $i
done 


# add snortsam tag ################################################


for i in `ls /usr/local/etc/snort/rules/*.rules`
do
echo adding tag to $i
cat $i | grep -v MyDoom | sed 's/;)$/; fwsam: src, 5 minutes;   )/g' | sed 's/; )$/; fwsam: src, 5 minutes;   )/g' > $i.tmp
mv $i.tmp $i
done


/usr/local/sbin/SNORTCHECK.sh



# script to find vars in *.rules to set in snort.conf 
#cat * | grep '\$' | egrep -v '(.* \$EXTERNAL_NET*.*\$[HOME_NET|HTTP_SERVERS]|.* \$HOME_NET*.*\$EXTERNAL_NET|.* \$[HOME_NET|EXTERNAL_NET]*.*\$DNS_SERVERS|\$HOME_NET any)'