Re: Using shared object rules with oinkmaster and snort

["Seth Art" <sethsec () gmail com>]

> Oinkmaster does not support so rules at this time.

According to question 34 of the Oinkmaster FAQ
(http://oinkmaster.cvs.sourceforge.net/oinkmaster/oinkmaster/FAQ?view=markup)
, Andreas says that Oinkmaster does support so rules, however even
after downloading the latest CVS code, I could not get it to work the
way I wanted it to.

> >  Somebody have any automation script to load so_rules on snort

I put together the following script which seems to do the trick. I
call it from cron, and send the output and error to a logfile.

It's a work in progress so feel free to give feedback.  Hopefully
others find it useful.


#!/bin/bash
###################################################################
# Purpose: This script is used to update Snort signatures
# Author: Seth Art
# Version: 1.0
###################################################################
DATE=`date`
echo "Date: $DATE"

# -- Before running sigupdate, remove old snortrules-snapshots
rm -rf /var/tmp/snortrules-snapshot-2.8*
rm -rf /var/tmp/snort-rules

# -- Pull's the url with the oinkcode from oinkmaster.conf
# -- Downloads the tarball

OINKURL=`cat /etc/oinkmaster.conf | grep url | grep -v \# | awk '{ print $3 }'`
FILENAME=`cat /etc/oinkmaster.conf | grep url | grep -v \# | awk '{
print $3 }' | awk -F / '{print $7}'`
wget --directory-prefix=/var/tmp $OINKURL


# -- Makes a temporary directory
# -- Extracts the tarball
# -- Pulls out the correct shared object rules and puts them in /etc/snort
# -- Has snort parse through the shared objects and create stubs for all rules

mkdir -p /var/tmp/snort-rules
tar zxf /var/tmp/$FILENAME -C /var/tmp/snort-rules/
/bin/cp -fp /var/tmp/snort-rules/so_rules/precompiled/CentOS-4.6/i386/2.8.3/*.so
/etc/snort/rules/so_rules/
/usr/sbin/snort -c /etc/snort/snort.conf
--dump-dynamic-rules=/etc/snort/rules/so_rules/stubs/

# -- We are now ready to run oinkmaster and update the "rest" of the rules.
# -- Since we already downloaded the snortrules-snapshot file
manually, we are going to tell oinkmaster to use that file.

/usr/local/bin/oinkmaster.pl -u file:///var/tmp/$FILENAME -o /etc/snort/rules

# -- Now we need to create the sid-msg-map files.
# -- First we create the shared object rule map.
# -- Then we create the "normal" rule map.
# -- Then we concatenate them together.
# -- This is what barnyard uses to map signatures names to signature ID's.

/usr/local/bin/create-sidmap.pl /etc/snort/rules/so_rules/stubs/ | sed
-e 's/^./3 || /g' > /etc/snort/rules/so_rules/stubs/shared-sid-msg.map
/usr/local/bin/create-sidmap.pl /etc/snort/rules/ > /etc/snort/rules/sid-msg.map
cat /etc/snort/rules/so_rules/stubs/shared-sid-msg.map >>
/etc/snort/rules/sid-msg.map

# -- Finally we cross our fingers and restart snort

/etc/init.d/snortd restart

--------------------------------------------------------------------------------

Regards,

Seth















On Fri, Jan 9, 2009 at 3:01 PM, Joel Esler <eslerj () gmail com> wrote:
> Oinkmaster does not support so rules at this time.
>
> Joel
>
> On Jan 9, 2009, at 2:03 PM, carlopmart allegedly wrote:
>
> > Hi all,
> >
> >  Somebody have any automation script to load so_rules on snort using
> > oinkmaster?? I see that I need to create a new oinkmaster.conf file,
> > but how can
> > I load these new rules under snort??
> >
> >  I have read this link
> > http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html
> > ,
> > but I don't see very clear. Is it possible to automate this process??
> >
> >  Many thanks.
> >
> > --
> > CL Martinez
> > carlopmart {at} gmail {d0t} com
> >
> > ------------------------------------------------------------------------------
> > Check out the new SourceForge.net Marketplace.
> > It is the best place to buy or sell services for
> > just about anything Open Source.
> > http://p.sf.net/sfu/Xq1LFB
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Joel Esler
>   http://www.joelesler.net
>   http://www.twitter.com/joelesler
> [m]
>
>
> ------------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It is the best place to buy or sell services for
> just about anything Open Source.
> http://p.sf.net/sfu/Xq1LFB
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users