Snort mailing list archives
Re: Using shared object rules with oinkmaster and snort
From: "Seth Art" <sethsec () gmail com>
Date: Fri, 9 Jan 2009 16:35:34 -0500
Oinkmaster does not support so rules at this time.
According to question 34 of the Oinkmaster FAQ (http://oinkmaster.cvs.sourceforge.net/oinkmaster/oinkmaster/FAQ?view=markup) , Andreas says that Oinkmaster does support so rules, however even after downloading the latest CVS code, I could not get it to work the way I wanted it to.
Somebody have any automation script to load so_rules on snort
I put together the following script which seems to do the trick. I call it from cron, and send the output and error to a logfile. It's a work in progress so feel free to give feedback. Hopefully others find it useful. #!/bin/bash ################################################################### # Purpose: This script is used to update Snort signatures # Author: Seth Art # Version: 1.0 ################################################################### DATE=`date` echo "Date: $DATE" # -- Before running sigupdate, remove old snortrules-snapshots rm -rf /var/tmp/snortrules-snapshot-2.8* rm -rf /var/tmp/snort-rules # -- Pull's the url with the oinkcode from oinkmaster.conf # -- Downloads the tarball OINKURL=`cat /etc/oinkmaster.conf | grep url | grep -v \# | awk '{ print $3 }'` FILENAME=`cat /etc/oinkmaster.conf | grep url | grep -v \# | awk '{ print $3 }' | awk -F / '{print $7}'` wget --directory-prefix=/var/tmp $OINKURL # -- Makes a temporary directory # -- Extracts the tarball # -- Pulls out the correct shared object rules and puts them in /etc/snort # -- Has snort parse through the shared objects and create stubs for all rules mkdir -p /var/tmp/snort-rules tar zxf /var/tmp/$FILENAME -C /var/tmp/snort-rules/ /bin/cp -fp /var/tmp/snort-rules/so_rules/precompiled/CentOS-4.6/i386/2.8.3/*.so /etc/snort/rules/so_rules/ /usr/sbin/snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/rules/so_rules/stubs/ # -- We are now ready to run oinkmaster and update the "rest" of the rules. # -- Since we already downloaded the snortrules-snapshot file manually, we are going to tell oinkmaster to use that file. /usr/local/bin/oinkmaster.pl -u file:///var/tmp/$FILENAME -o /etc/snort/rules # -- Now we need to create the sid-msg-map files. # -- First we create the shared object rule map. # -- Then we create the "normal" rule map. # -- Then we concatenate them together. # -- This is what barnyard uses to map signatures names to signature ID's. /usr/local/bin/create-sidmap.pl /etc/snort/rules/so_rules/stubs/ | sed -e 's/^./3 || /g' > /etc/snort/rules/so_rules/stubs/shared-sid-msg.map /usr/local/bin/create-sidmap.pl /etc/snort/rules/ > /etc/snort/rules/sid-msg.map cat /etc/snort/rules/so_rules/stubs/shared-sid-msg.map >> /etc/snort/rules/sid-msg.map # -- Finally we cross our fingers and restart snort /etc/init.d/snortd restart -------------------------------------------------------------------------------- Regards, Seth On Fri, Jan 9, 2009 at 3:01 PM, Joel Esler <eslerj () gmail com> wrote:
Oinkmaster does not support so rules at this time. Joel On Jan 9, 2009, at 2:03 PM, carlopmart allegedly wrote:Hi all, Somebody have any automation script to load so_rules on snort using oinkmaster?? I see that I need to create a new oinkmaster.conf file, but how can I load these new rules under snort?? I have read this link http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html , but I don't see very clear. Is it possible to automate this process?? Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler http://www.joelesler.net http://www.twitter.com/joelesler [m] ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using shared object rules with oinkmaster and snort carlopmart (Jan 09)
- Re: Using shared object rules with oinkmaster and snort Joel Esler (Jan 09)
- Re: Using shared object rules with oinkmaster and snort Seth Art (Jan 09)
- Re: Using shared object rules with oinkmaster and snort Joel Esler (Jan 09)