Openvas and snort rules in Alienvault OSSIM are deployed as part of the updates. However, you can update them more frequently directly from the Openvas and Snort repositories.
Openvas Plugin Update Script
Most of this is directly from the Alienvault configuration guide, but in assorted places. Here’s the script to update the openvas rules:
#!/bin/sh openvas-nvt-sync --wget /etc/init.d/openvas-scanner restart perl /usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate
Save this as a .sh file (e.g. update-openvas-plugins.sh) and chmod to 700 with owner root
chmod 700 update-openvas-plugins.sh chown root.root update-openvas-plugins.sh
Then add to root’s crontab:
and add the following line:
0 3 * * 6 /bin/sh /scripts/update-openvas-plugins.sh
where this one runs weekly on Saturday at 3am. For more info on editing crontab see here.
Snort Plugin Update Script
Here’s the script to update snort:
#!/bin/sh perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/ /etc/init.d/ossim-server restart
If the box is just a snort collector and doesn’t have the ossim-server running you’ll want to change that last line to read:
Where eth1 is the interface snort is attached to.
Then edit crontab again and add in the line:
0 4 * * 6 /bin/sh /scripts/update-snort-rules.sh
This one runs every Saturday at 4am.