Here are the instructions I wrote for configuring IDSPM to upload rules to a Red Hat ES sensor. Maybe they will help. Snort runs under the "snort" account, which is added into sudoers as allowed to restart the Snort daemon.
visudo
Comment out this line:
Default requiretty
Add this line:
%snort ALL=(ALL) NOPASSWD: /etc/init.d/snortd
HTH,
Ray
- Change var RULE_PATH ../rules to var RULE_PATH rules
- Although changing it to just rules doesn’t look right, this is correct when Activeworx’s IDS Policy Manager v2.2 is being used. If this variable is not set this way, IDSPM will put the snort.conf file into the rules folder.
Configuring Activeworx’s IDS Policy Manager v2.2
· Copy the snort.conf file from /etc/snort and all of the files in the /etc/snort/rules folder into a single folder on your desktop. IDSPM will build the policy from these files.
Note: IDS Policy Manager is one-way only. Any manual changes you make on the Snort sensor will get overwritten on the next policy update from IDSPM.
· Right-click on Snort Policies and click on Add Policy.
o Policy Settings tab
o Give it a name, usually the same name as the sensor, and a description.
o Select the version of Snort and check Initialize Policy
o Update Locations tab
o Click the green + button
o Click somewhere in the blank Update Location Name field. It will bring up a drop-down and you can select where we will be downloading the rules from. You can add multiple locations, such as Snort 2.8 and Emerging Threats.
o Click OK
o An Initialize Policy dialog box will appear. We want to initialize it from the desktop folder created previously, the one that holds the snort.conf file and all of the rules.
§ Click the Local File tab and the Browse button. Browse to the desktop folder and click on the snort.conf file.
§ Click Open and Start. This can take several few minutes.
o After the policy is initialized, collapse the Snort Policies section and re-expand it if the new policy is not visible in the left pane.
o Click on the Snort Policies and then right-click in the right-hand frame.
o Click on Update Policies and check the policy you just added. Click Start and it will download the newest rules from the selected location.
o After it completes, review the downloaded rules as needed.
· If you imported Emerging Threats rules, go into Snort Policies - <sensor name> - Rule Groups and disable every rule that starts with bleeding and has BLOCK as part of its name.
If you don’t do this, the Snort sensor will fail to restart due to fwsam not being set up. You can select all rules with shift-click and you should disable them in all policies if you know fwsam is not being used at all.
· In the Variables section, delete any extra HOME_NET or other duplicate variables.
· Right-click on Snort Sensors and click Add. Add its name and a description.
o Sensor Settings tab
o Sensor Host = IP address
o Sensor ID = Select the same as the Sensor name
o Policy = the policy you just imported
o Group = not used
o Location = as appropriate
o Snort Version = Select or type the entire version number
o Upload Settings tab
o Upload Protocol = SFTP port 22
o Upload Directory = /etc/snort
o Configuration File = snort.conf
o Test Connectivity Command = uname –a;id (pre-filled in)
o Use Compression – unchecked
o Authentication tab
o Username = snort
o Authentication Mode = Password
o (Enter the password twice)
o Proxy Settings tab
o Proxy Type = Disabled
o Variables tab
o (no changes needed)
o Restart Settings tab
o Restart after Upload = checked
o Restart Method = Script via SSH
o Script = sudo /etc/init.d/snortd restart
o Click OK
After you install or update the policy on a sensor, you should SSH to it, su -l and run pidof snort to make sure it is running.