Snort mailing list archives
community rules, where to get them
From: Igor Zinovik <zinovik.igor () gmail com>
Date: Wed, 26 Jan 2011 10:53:06 +0300
Hello, snort-users. In FAQ i read about snort community rules. But i do not understand where to get them. I'm deploing snort 2.8.6.1 on freebsd 8.1, it is installed from ports. Its default configuration file contain following lines that i had to commented out: % egrep -e '^#include' ~etc/snort/snort.conf #include $RULE_PATH/local.rules #include $RULE_PATH/community-exploit.rules #include $RULE_PATH/telnet.rules #include $RULE_PATH/community-dos.rules #include $RULE_PATH/community-sql-injection.rules #include $RULE_PATH/community-web-client.rules #include $RULE_PATH/community-web-dos.rules #include $RULE_PATH/community-web-iis.rules #include $RULE_PATH/community-web-misc.rules #include $RULE_PATH/community-web-php.rules #include $RULE_PATH/community-oracle.rules #include $RULE_PATH/community-ftp.rules #include $RULE_PATH/community-smtp.rules #include $RULE_PATH/community-imap.rules #include $RULE_PATH/community-nntp.rules #include $RULE_PATH/community-sip.rules #include $RULE_PATH/other-ids.rules #include $RULE_PATH/community-bot.rules #include $RULE_PATH/community-virus.rules #include $RULE_PATH/emerging.conf My oinkmaster has following urls: % egrep -e '^url' ~etc/oinkmaster.conf url = http://www.snort.org/pub-bin/oinkmaster.cgi/b83726cbdb938dfd7fe75d0c404886144e35363a/snortrules-snapshot-2861.tar.gz url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz But when i start it and it manages to download signature files. I still do not see that community*.rules does not appear in my /usr/local/etc/snort/rules. I run oinkmaster this way: % sudo oinkmaster -C ~etc/oinkmaster.conf -o ~etc/snort/rules Even if i uncomment url that points to community rules, oinkmaster fails to fetch them. Loading /usr/local/etc/oinkmaster.conf Downloading file from http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz... /usr/local/bin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz. Output from wget follows: --2011-01-26 10:42:20-- http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz Resolving www.snort.org... 68.177.102.20 Connecting to www.snort.org|68.177.102.20|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2011-01-26 10:42:21 ERROR 404: Not Found. Oink, oink. Exiting... Can someone explain me where to get community rules or they are deprecated and not maintained anymore by snort community? ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- community rules, where to get them Igor Zinovik (Jan 25)
- Re: community rules, where to get them Matthew Jonkman (Jan 26)
- Re: community rules, where to get them Joel Esler (Jan 26)