ET rules in emerging.conf deactivated after updating via Oinkmaster&cron

[Jun Wan <junwei_wan () hotmail com>]

Hi,
 
I am running Snort 2.8.6.0 with oinkmaster scheduled by cron to run an update every 2:00 am. I have a very simple 
oinkmaster.conf, I add nothing but the following two lines in oinkmaster.conf (I haven't gone through the rules files 
taking down the sids to disable, etc) , please see the following:
sudo vi /usr/local/etc/oinkmaster.conf
url = 
http://www.snort.org/pub-bin/oinkmaster.cgi/a93935045ae0f18b52cb7a18df2e1fded2db292e/snortrules-snapshot-2860.tar.gz
url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz
 
 Cron does a good job every 2:00 am as I can see lots of rules are updated via" ls -l /usr/local/snort/rules", please 
see the following:
...............
-rw-r--r-- 1 root root  558418 2010-11-28 02:01 emerging-trojan.rules
-rw-r--r-- 1 root root  222930 2010-11-28 02:01 emerging-user_agents.rules
-rw-r--r-- 1 root root   26489 2010-11-21 02:01 emerging-virus.rules
-rw-r--r-- 1 root root    6974 2010-11-11 02:01 emerging-voip.rules
-rw-r--r-- 1 root root   48160 2010-11-25 02:01 emerging-web_client.rules
-rw-r--r-- 1 root root  103214 2010-11-25 02:01 emerging-web_server.rules
-rw-r--r-- 1 root root 2864857 2010-11-28 02:01 emerging-web_specific_apps.rules
-rw-r--r-- 1 root root   17216 2010-11-11 02:01 emerging-worm.rules
-rw-r--r-- 1 1210 1210    1327 2005-05-17 08:18 experimental.rules
-rw-r--r-- 1 1210 1210  131923 2010-11-28 02:01 exploit.rules
-rw-r--r-- 1 1210 1210    4578 2010-10-30 16:12 finger.rules
-rw-r--r-- 1 1210 1210   32417 2010-11-26 02:01 ftp.rules
-rw-r--r-- 1 root root   18269 2010-10-30 13:13 gen-msg.map
-rw-r--r-- 1 root root   18092 2010-10-30 13:13 gpl-2.0.txt
-rw-r--r-- 1 1210 1210   16989 2010-04-30 00:27 icmp-info.rules
-rw-r--r-- 1 1210 1210    5546 2010-11-26 02:01 icmp.rules
-rw-r--r-- 1 1210 1210   32828 2010-11-26 02:01 imap.rules
-rw-r--r-- 1 1210 1210    1043 2010-04-30 00:27 info.rules  
...............
 
And I add emerging.conf in the follwoing:
 
sudo vi /usr/local/snort/etc/snort.conf  
 
..............
 
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/emerging.conf
.................
 
 
VRT rules are the foundation of detecting abnormal network activities whilst  Emergingthreats is rules I want to use as 
well to cover virus, trojan, malware etc, so I did the following:
 
sudo vi /usr/local/snort/rules/emerging.conf 
 
#include $RULE_PATH/classification.config
#include $RULE_PATH/reference.config
 
.....
include $RULE_PATH/emerging-trojan.rules
#include $RULE_PATH/emerging-games.rules
.......
##include $RULE_PATH/emerging-activex.rules
#include $RULE_PATH/emerging-rpc.rules
include $RULE_PATH/emerging-virus.rules
#include $RULE_PATH/emerging-attack_response.rules
.......
##include $RULE_PATH/emerging-web_specific_apps.rules
##include $RULE_PATH/emerging-deleted.rules
include $RULE_PATH/emerging-malware.rules
........
 
include $RULE_PATH/emerging-worm.rules
.............
include $RULE_PATH/emerging-p2p.rules
#include $RULE_PATH/emerging-tftp.rules
....................
 
I did some testing with p2p traffic, an Alert generated by the ET p2p rule, which is good, but the problem is that all 
the rules I enabled in emerging.conf, e.g. trojan, malware, p2p etc, are disabled next morning, and I get the following 
every morning:
 
sudo vi /usr/local/snort/rules/emerging.conf 
 
#include $RULE_PATH/classification.config
#include $RULE_PATH/reference.config
 
.....
#include $RULE_PATH/emerging-trojan.rules
#include $RULE_PATH/emerging-games.rules
.......
##include $RULE_PATH/emerging-activex.rules
#include $RULE_PATH/emerging-rpc.rules
#include $RULE_PATH/emerging-virus.rules
#include $RULE_PATH/emerging-attack_response.rules
.......
##include $RULE_PATH/emerging-web_specific_apps.rules
##include $RULE_PATH/emerging-deleted.rules
#include $RULE_PATH/emerging-malware.rules
........
 
#include $RULE_PATH/emerging-worm.rules
.............
#include $RULE_PATH/emerging-p2p.rules
#include $RULE_PATH/emerging-tftp.rules
....................
 
I think this may be because Oinkmaster downloads emerging.conf at 2:00 am every morning, so it overwrites the one I 
configured before, my questions would be:
 
1.) Is this the right way for Snort to use ET rules by modifying the emerging.conf as above (removing # from rules of 
virus, trojan, p2p etc) ?
2.) How can I keep the modified emerging.conf from being overwritten to a new downloaded one from ET?
 
Any information and help would be much appreciated.
 
Thanks
 
Regards
 
John
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App 
& Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for 
Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are 
up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users