killall snort
killall snortsam



echo downloading snort.org pr public release  rules

cd /usr/local/etc/snort


# download snort.org rules
rm snortrules-snapshot-2.8.tar.gz
wget -O snortrules-snapshot-2.8.tar.gz -U wtf 'http://www.snort.org/pub-bin/oinkmaster.cgi/YOUROINKCODE_GET_IT_FROM_SNORT_SITE3a69b/snortrules-snapshot-2.8.tar.gz'
tar -xvf snortrules-snapshot-2.8.tar.gz

# download emergingthreats rules
wget -O emerging.rules.tar.gz http://www.emergingthreats.net/rules/emerging.rules.tar.gz
tar -xvf emerging.rules.tar.gz

# remove unwanted rulesets
rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules
rm /usr/local/etc/snort/rules/finger.rules
rm /usr/local/etc/snort/rules/imap.rules
rm /usr/local/etc/snort/rules/info.rules
rm /usr/local/etc/snort/rules/local.rules
rm /usr/local/etc/snort/rules/multimedia.rules

rm /usr/local/etc/snort/rules/policy.rules
rm /usr/local/etc/snort/rules/voip.rules
rm /usr/local/etc/snort/rules/web-activex.rules
rm /usr/local/etc/snort/rules/web-attacks.rules
rm /usr/local/etc/snort/rules/x11.rules

rm /usr/local/etc/snort/rules/multimedia.rules
rm /usr/local/etc/snort/rules/icmp-info.rules
rm /usr/local/etc/snort/rules/icmp.rules
rm /usr/local/etc/snort/rules/chat.rules
rm /usr/local/etc/snort/rules/ftp.rules
rm /usr/local/etc/snort/rules/p2p.rules
rm /usr/local/etc/snort/rules/emerging-p2p.rules
rm /usr/local/etc/snort/rules/emerging-scan.rules
rm /usr/local/etc/snort/rules/scan.rules
rm /usr/local/etc/snort/rules/netbios.rules
rm /usr/local/etc/snort/rules/porn.rules

# copy template
cp /usr/local/etc/snort/snort.conf.template /usr/local/etc/snort/snort.conf
# include all rules files in ./rules ..
for i in `ls /usr/local/etc/snort/rules/*.rules` ; do echo include $i ; done >> snort.conf


# remove unwanted sigs ...
egrep -v "(DNS SPOOF|DNS TCP inv)" /usr/local/etc/snort/dns.rules > /usr/local/etc/snort/dns.rules 
egrep -v "(http_header)" /usr/local/etc/snort/rules/web-misc.rules >  /usr/local/etc/snort/rules/web-misc.rules
egrep -v "(disclosure|nc.exe|robots|Invalid HTTP Version String|traversal)" /usr/local/etc/snort/web-misc.rules > /usr/local/etc/snort/web-misc.rules 
egrep -v "(UPnP mal)" /usr/local/etc/snort/misc.rules > /usr/local/etc/snort/misc.rules
egrep -v "(403)" /usr/local/etc/snort/attack-responses.rules > /usr/local/etc/snort/attack-responses.rules
egrep -v "http_method" /usr/local/etc/snort/rules/specific-threats.rules > /usr/local/etc/snort/rules/specific-threats.rules
egrep -v "http_header" /usr/local/etc/snort/rules/backdoor.ruless > /usr/local/etc/snort/rules/backdoor.rules
egrep -v "fast_pattern" /usr/local/etc/snort/rules/exploit.rules > /usr/local/etc/snort/rules/exploit.rules 
egrep -v "fast_pattern" /usr/local/etc/snort/rules/web-client.rules > /usr/local/etc/snort/rules/web-client.rules




# supress
echo suppress gen_id 125, sig_id 2:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 560:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 125, sig_id 7:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 560:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 119, sig_id 4:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001682:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2003099:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000419:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001331:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1067:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1066:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 119, sig_id 15:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 560:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1062:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 20064022:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2404021:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2006380:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2006402:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1852:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 111, sig_id 4:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001805:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001669:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 122, sig_id 3:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001669:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 201:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000369:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000355:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000356:  >> /usr/local/etc/snort/snort.conf

echo suppress gen_id 1, sig_id 31534:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1201:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 122, sig_id 4:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001980:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 31534:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001984:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 13819:  >> /usr/local/etc/snort/snort.conf


echo suppress gen_id 1, sig_id 3153:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 1212:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001972:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2002973:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2525048:  >> /usr/local/etc/snort/snort.conf

echo suppress gen_id 1, sig_id 2181:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 3825:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 116, sig_id 54:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 116, sig_id 58:  >> /usr/local/etc/snort/snort.conf


echo suppress gen_id 1, sig_id 969:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2009030:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2000357:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 13901: >> /usr/local/etc/snort/snort.conf

# IRC blocks 
echo suppress gen_id 1, sig_id 2404022:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2404022: >> /usr/local/etc/snort/snort.conf

# new triggers on port 21 for ET
echo suppress gen_id 125, sig_id 1:  >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2001329: >> /usr/local/etc/snort/snort.conf
echo suppress gen_id 1, sig_id 2002997: >> /usr/local/etc/snort/snort.conf


# PULL OUT SOME COMMON SIGS
for i in `ls /usr/local/etc/snort/rules/*.rules` 
do 
egrep -v "MSN|AOL|AIM" $i > $i.tmp
mv $i.tmp $i
done 


# add snortsam tag ################################################


for i in `ls /usr/local/etc/snort/*.rules`
do
echo adding tag to $i
cat $i | grep -v MyDoom | sed 's/;)/; fwsam: src, 5 minutes;   )/g' | sed 's/; )/; fwsam: src, 5 minutes;   )/g' > $i.tmp
mv $i.tmp $i
done


/bin/SNORTCHECK.sh



# script to find vars in *.rules to set in snort.conf 
#cat * | grep '\$' | egrep -v '(.* \$EXTERNAL_NET*.*\$[HOME_NET|HTTP_SERVERS]|.* \$HOME_NET*.*\$EXTERNAL_NET|.* \$[HOME_NET|EXTERNAL_NET]*.*\$DNS_SERVERS|\$HOME_NET any)'