ids_rule

Tech Preview

This is a role for managing rules and signatures for different Intrusion Detection Systems (IDS). These systems are called "providers" in this role.

Supported Providers:

• snort

Requirements

You need the following:

• Red Hat Enterprise Linux 7.x or a similar distribution like CentOS 7 or Scientific Linux 7
• idstools

Role Variables

• ids_provider: This sets the IDS provider (Default Value: "snort").
• ids_rule: The specific rule you want to add or remove.
• ids_rule_state: Should be either present (to add the rule) or absent (to remove it).
• ids_rules_file: The file that contains the rules (default: /etc/snort/rules/local.rules).

Dependencies

Dependencies will change depending on the provider.

Snort Dependencies

• [Details Pending]

Example Playbook

Here is an example on how to manage Snort rules:

- name: manage snort rules
  hosts: idshosts
  become: yes
  become_user: root
  gather_facts: false

  vars:
    ids_provider: snort
    protocol: tcp
    source_port: any
    source_ip: any
    dest_port: any
    dest_ip: any

  tasks:
    - name: Add snort password attack rule
      include_role:
        name: "ids_rule"
      vars:
        ids_rule: 'alert {{protocol}} {{source_ip}} {{source_port}} -> {{dest_ip}} {{dest_port}}  (msg:"Attempted /etc/passwd Attack"; uricontent:"/etc/passwd"; classtype:attempted-user; sid:99000004; priority:1; rev:1;)'
        ids_rules_file: '/etc/snort/rules/local.rules'
        ids_rule_state: present

License

GPLv3

Author Information

Created by the Ansible Security Automation Team.