Skip to content
Snippets Groups Projects

update filter

Last edited by Ming Di Leom

Some software like Snort, Suricata and Splunk do not have a built-in updater for custom ruleset. An OS job scheduler can be utilised instead. On Linux, two common methods are cron (easier) and systemd timer (customisable); choose either one. Before you proceed with this guide, ensure curl is installed.

Cron

Create a shell script in "/etc/cron.daily/" or "/etc/cron.hourly/". Since all filters are updated twice a day, you may prefer to use "cron.hourly". The script should have executable permission chmod 755.

#!/bin/sh

CURL_EXIT="0"

# Enter mirrors here
MIRRORS="
https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-snort2-online.rules
https://curbengh.github.io/malware-filter/urlhaus-filter-snort2-online.rules
https://curbengh.github.io/urlhaus-filter/urlhaus-filter-snort2-online.rules
https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter-snort2-online.rules
https://malware-filter.pages.dev/urlhaus-filter-snort2-online.rules
https://urlhaus-filter.pages.dev/urlhaus-filter-snort2-online.rules
"

# Ruleset location
RULESET="/etc/snort/rules/urlhaus-filter-snort2-online.rules"

for DL in $MIRRORS; do
  printf "Updating ruleset from $DL\n"
  curl -sSL --fail-with-body "$DL" -o "$RULESET"
  CURL_EXIT="$?"
  if [ "$CURL_EXIT" = "0" ]; then
    break
  fi
done

exit "$CURL_EXIT"

Systemd timer

  1. Use the cron shell script but save it in the ruleset folder instead (e.g. "/etc/snort/rules/update-urlhaus-filter.sh").

  2. Create a new file as "/etc/systemd/system/update-urlhaus-filter.service" (change the filename appropriately, depending on which filter you use), modify the ExecStart line to the script location.

    [Unit]
Description=Update urlhaus-filter ruleset

[Service]
Type=oneshot
ExecStart=/etc/snort/rules/update-urlhaus-filter.sh

  3. Create a new file as "/etc/systemd/system/update-urlhaus-filter.timer". The filename must be the same as the previous step.

    [Unit]
Description=Update urlhaus-filter ruleset twice a day

[Timer]
OnCalendar=01:00 UTC
OnCalendar=13:00 UTC
Persistent=true

[Install]
WantedBy=timers.target

  4. Enable the timer, remember to include the .timer suffix.

    systemctl daemon-reload
systemctl enable --now update-urlhaus-filter.timer

Comments

    Please register or sign in to add a comment.