Updating snort and openvas rules

Openvas and snort rules in Alienvault OSSIM are deployed as part of the updates. However, you can update them more frequently directly from the Openvas and Snort repositories.

Openvas Plugin Update Script

Most of this is directly from the Alienvault configuration guide, but in assorted places. Here’s the script to update the openvas rules:

openvas-nvt-sync --wget /etc/init.d/openvas-scanner restart 
perl /usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate

Save this as a .sh file (e.g. update-openvas-plugins.sh) and chmod to 700 with owner root

chmod 700 update-openvas-plugins.sh 
chown root.root update-openvas-plugins.sh

Then add to root’s crontab:

crontab -e

and add the following line:

0 3 * * 6 /bin/sh /scripts/update-openvas-plugins.sh

where this one runs weekly on Saturday at 3am. For more info on editing crontab see here.

Snort Plugin Update Script

Here’s the script to update snort:

perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
/etc/init.d/ossim-server restart

If the box is just a snort collector and doesn’t have the ossim-server running you’ll want to change that last line to read:

/etc/init.d/snort restart


/etc/init.d/snort_eth1 restart

Where eth1 is the interface snort is attached to.

Then edit crontab again and add in the line:

0 4 * * 6 /bin/sh /scripts/update-snort-rules.sh

This one runs every Saturday at 4am.

Tagged , , , , , , , , , ,

One thought on “Updating snort and openvas rules

  1. Saad Faruque says:

    nice write .. shall try it out some time soon :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: