Snort mailing list archives
Re: oinkmaster and binary rules
From: Seth Art <sethsec () gmail com>
Date: Thu, 22 Jan 2009 11:14:38 -0500
That is exactly what I discovered as well. I'm not saying it's
impossible, just that I couldn't find a way to tell oinkmaster which
set of precomiled so files to copy over. Seems like a something that
could be added to a future version of Oinkmaster.
In the end, as Nathanial mentioned I decided to script the so_rules
part myself, and then let oinkmater take care of the gen 1 rules. Here
is an updated version of the script that I modified for my sguil
sensor at home. I have abstracted a bunch of the paths to variables
at the top of the script to make it much easier to modify for your own
needs.
-----------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------- BEGIN SCRIPT
------------------------------------------------------
#!/bin/bash
###################################################################
# Purpose: This script is used to update Snort signatures
# Author: Seth Art
# Version: 1.1
###################################################################
DATE=`date`
echo "Date: $DATE"
OINKMASTER_PL_PATH=/usr/local/bin/oinkmaster-2.0/oinkmaster.pl
OINKMASTER_CONF_PATH=/usr/local/bin/oinkmaster-2.0/oinkmaster.conf
SO_RULES_TYPE=/var/tmp/snort-rules/so_rules/precompiled/CentOS-4.6/i386
SO_RULES_VER=2.8.3
SO_RULES_DIR=/usr/local/snortrules-egress/so_rules/
SNORT_RULES_DIR=/usr/local/snortrules-egress/
SNORT_CONF_PATH=/usr/local/snortrules-egress/snort.conf
SNORT_INIT_SCRIPT=/etc/init.d/snort-egress
CREATE_SIDMAP_PL_PATH=/usr/local/bin/oinkmaster-2.0/contrib/create-sidmap.pl
# -- Before running sigupdate, remove old snortrules-snapshots
rm -rf /var/tmp/snortrules-snapshot-2.8*
rm -rf /var/tmp/snort-rules
# -- Pull's the url with the oinkcode from oinkmaster.conf
# -- Downloads the tarball
OINKURL=`grep url $OINKMASTER_CONF_PATH | grep snort | grep -v \# |
awk '{ print $3 }'`
FILENAME=`grep url $OINKMASTER_CONF_PATH | grep snort | grep -v \# |
awk '{print $3 }' | awk -F / '{print $7}'`
wget --directory-prefix=/var/tmp $OINKURL
# -- Makes a temporary directory
# -- Extracts the tarball
# -- Pulls out the correct shared object rules and puts them in /etc/snort
# -- Has snort parse through the shared objects and create stubs for all rules
mkdir -p /var/tmp/snort-rules
tar zxf /var/tmp/$FILENAME -C /var/tmp/snort-rules/
/bin/cp -fp $SO_RULES_TYPE/$SO_RULES_VER/*.so $SO_RULES_DIR
/usr/sbin/snort -c $SNORT_CONF_PATH --dump-dynamic-rules=$SO_RULES_DIR/stubs/
# -- We are now ready to run oinkmaster and update the "rest" of the rules.
# -- Since we already downloaded the snortrules-snapshot file
manually, we are going to tell oinkmaster to use that file.
$OINKMASTER_PL_PATH -C $OINKMASTER_CONF_PATH -u
file:///var/tmp/$FILENAME -o $SNORT_RULES_DIR
$OINKMASTER_PL_PATH -C $OINKMASTER_CONF_PATH -u
http://www.emergingthreats.net/rules/emerging.rules.tar.gz -o
$SNORT_RULES_DIR
# -- Now we need to create the sid-msg-map files.
# -- First we create the shared object rule map.
# -- Then we create the "normal" rule map.
# -- Then we concatenate them together.
# -- This is what barnyard uses to map signatures names to signature ID's.
$CREATE_SIDMAP_PL_PATH $SO_RULES_DIR/stubs/ | sed -e 's/^./3 || /g' >
$SO_RULES_DIR/stubs/shared-sid-msg.map
$CREATE_SIDMAP_PL_PATH $SNORT_RULES_DIR > $SNORT_RULES_DIR/sid-msg.map
cat $SO_RULES_DIR/stubs/shared-sid-msg.map >> $SNORT_RULES_DIR/sid-msg.map
# -- Finally we cross our fingers and restart snort
$SNORT_INIT_SCRIPT restart
----------------------------------------------------- END SCRIPT
------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------
-Seth
On Thu, Jan 22, 2009 at 10:18 AM, Nathaniel Richmond
<nate+snort () richmond-family org> wrote:
Tim Maletic wrote:I see how the latest oinkmaster can handle updating the rules files of so rules, but what about the so files themselves? I'm thinking in particular of the so rules that are being distributed binary-only in VRT rule sets. -tmOinkmaster will not touch the actual .so files, so you have to put them in the appropriate directory yourself. Don't forget to run Snort against the .so rules with the '--dump-dynamic-rules' option. This will generate the required stub files, but they will not contain any changes you made to enable or disable specific rules. To change which are enabled or disabled, run Oinkmaster with the oinkmaster-so-rules.conf pointing to the directory that contains your new stubs. Once you manually go through the process, you will see it is not difficult to script. You will have to run Oinkmaster twice, once for the standard rules and once for SO rules. Here is a script example that was previously sent to the list: http://sourceforge.net/mailarchive/message.php?msg_name=2ffb4a7c0901091335x2eb34ac2p754076ca1374b39c%40mail.gmail.com NateOn Mon, Jan 19, 2009 at 9:33 AM, Leon Ward <seclists () rm-rf co uk> wrote:From the very top of the Oinkmaster home page ( http://oinkmaster.sourceforge.net/ ) ..... [2008-02-19] Updating the shared object rules (so_rules) with Oinkmaster By using the latest nightly CVS snapshot tarball you can now keep track of the shared object rules (so_rules) with Oinkmaster. See question #34 in the FAQ. -Leon On 19 Jan 2009, at 13:56, ty wrote:Can oinkmaster be used to update / replace the binary (so_rules) rules from VRT? If not, any good suggestions existing scripts to keep the binary rules updated?------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- oinkmaster and binary rules ty (Jan 19)
- Re: oinkmaster and binary rules Leon Ward (Jan 19)
- Re: oinkmaster and binary rules Tim Maletic (Jan 21)
- Message not available
- Re: oinkmaster and binary rules Nathaniel Richmond (Jan 22)
- Re: oinkmaster and binary rules Seth Art (Jan 22)
- Re: oinkmaster and binary rules Leon Ward (Jan 19)