Snort mailing list archives
Re: oinkmaster and binary rules
From: "Nathaniel Richmond" <nate+snort () richmond-family org>
Date: Thu, 22 Jan 2009 10:18:07 -0500 (EST)
Tim Maletic wrote:
I see how the latest oinkmaster can handle updating the rules files of so rules, but what about the so files themselves? I'm thinking in particular of the so rules that are being distributed binary-only in VRT rule sets. -tm
Oinkmaster will not touch the actual .so files, so you have to put them in the appropriate directory yourself. Don't forget to run Snort against the .so rules with the '--dump-dynamic-rules' option. This will generate the required stub files, but they will not contain any changes you made to enable or disable specific rules. To change which are enabled or disabled, run Oinkmaster with the oinkmaster-so-rules.conf pointing to the directory that contains your new stubs. Once you manually go through the process, you will see it is not difficult to script. You will have to run Oinkmaster twice, once for the standard rules and once for SO rules. Here is a script example that was previously sent to the list: http://sourceforge.net/mailarchive/message.php?msg_name=2ffb4a7c0901091335x2eb34ac2p754076ca1374b39c%40mail.gmail.com Nate
On Mon, Jan 19, 2009 at 9:33 AM, Leon Ward <seclists () rm-rf co uk> wrote:From the very top of the Oinkmaster home page ( http://oinkmaster.sourceforge.net/ ) ..... [2008-02-19] Updating the shared object rules (so_rules) with Oinkmaster By using the latest nightly CVS snapshot tarball you can now keep track of the shared object rules (so_rules) with Oinkmaster. See question #34 in the FAQ. -Leon On 19 Jan 2009, at 13:56, ty wrote:Can oinkmaster be used to update / replace the binary (so_rules) rules from VRT? If not, any good suggestions existing scripts to keep the binary rules updated?------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- oinkmaster and binary rules ty (Jan 19)
- Re: oinkmaster and binary rules Leon Ward (Jan 19)
- Re: oinkmaster and binary rules Tim Maletic (Jan 21)
- Message not available
- Re: oinkmaster and binary rules Nathaniel Richmond (Jan 22)
- Re: oinkmaster and binary rules Seth Art (Jan 22)
- Re: oinkmaster and binary rules Leon Ward (Jan 19)