Snort mailing list archives
ET rules in emerging.conf deactivated after updating via Oinkmaster&cron
From: Jun Wan <junwei_wan () hotmail com>
Date: Mon, 29 Nov 2010 21:24:57 +0000
Hi, I am running Snort 2.8.6.0 with oinkmaster scheduled by cron to run an update every 2:00 am. I have a very simple oinkmaster.conf, I add nothing but the following two lines in oinkmaster.conf (I haven't gone through the rules files taking down the sids to disable, etc) , please see the following: sudo vi /usr/local/etc/oinkmaster.conf url = http://www.snort.org/pub-bin/oinkmaster.cgi/a93935045ae0f18b52cb7a18df2e1fded2db292e/snortrules-snapshot-2860.tar.gz url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz Cron does a good job every 2:00 am as I can see lots of rules are updated via" ls -l /usr/local/snort/rules", please see the following: ............... -rw-r--r-- 1 root root 558418 2010-11-28 02:01 emerging-trojan.rules -rw-r--r-- 1 root root 222930 2010-11-28 02:01 emerging-user_agents.rules -rw-r--r-- 1 root root 26489 2010-11-21 02:01 emerging-virus.rules -rw-r--r-- 1 root root 6974 2010-11-11 02:01 emerging-voip.rules -rw-r--r-- 1 root root 48160 2010-11-25 02:01 emerging-web_client.rules -rw-r--r-- 1 root root 103214 2010-11-25 02:01 emerging-web_server.rules -rw-r--r-- 1 root root 2864857 2010-11-28 02:01 emerging-web_specific_apps.rules -rw-r--r-- 1 root root 17216 2010-11-11 02:01 emerging-worm.rules -rw-r--r-- 1 1210 1210 1327 2005-05-17 08:18 experimental.rules -rw-r--r-- 1 1210 1210 131923 2010-11-28 02:01 exploit.rules -rw-r--r-- 1 1210 1210 4578 2010-10-30 16:12 finger.rules -rw-r--r-- 1 1210 1210 32417 2010-11-26 02:01 ftp.rules -rw-r--r-- 1 root root 18269 2010-10-30 13:13 gen-msg.map -rw-r--r-- 1 root root 18092 2010-10-30 13:13 gpl-2.0.txt -rw-r--r-- 1 1210 1210 16989 2010-04-30 00:27 icmp-info.rules -rw-r--r-- 1 1210 1210 5546 2010-11-26 02:01 icmp.rules -rw-r--r-- 1 1210 1210 32828 2010-11-26 02:01 imap.rules -rw-r--r-- 1 1210 1210 1043 2010-04-30 00:27 info.rules ............... And I add emerging.conf in the follwoing: sudo vi /usr/local/snort/etc/snort.conf .............. include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules include $RULE_PATH/emerging.conf ................. VRT rules are the foundation of detecting abnormal network activities whilst Emergingthreats is rules I want to use as well to cover virus, trojan, malware etc, so I did the following: sudo vi /usr/local/snort/rules/emerging.conf #include $RULE_PATH/classification.config #include $RULE_PATH/reference.config ..... include $RULE_PATH/emerging-trojan.rules #include $RULE_PATH/emerging-games.rules ....... ##include $RULE_PATH/emerging-activex.rules #include $RULE_PATH/emerging-rpc.rules include $RULE_PATH/emerging-virus.rules #include $RULE_PATH/emerging-attack_response.rules ....... ##include $RULE_PATH/emerging-web_specific_apps.rules ##include $RULE_PATH/emerging-deleted.rules include $RULE_PATH/emerging-malware.rules ........ include $RULE_PATH/emerging-worm.rules ............. include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-tftp.rules .................... I did some testing with p2p traffic, an Alert generated by the ET p2p rule, which is good, but the problem is that all the rules I enabled in emerging.conf, e.g. trojan, malware, p2p etc, are disabled next morning, and I get the following every morning: sudo vi /usr/local/snort/rules/emerging.conf #include $RULE_PATH/classification.config #include $RULE_PATH/reference.config ..... #include $RULE_PATH/emerging-trojan.rules #include $RULE_PATH/emerging-games.rules ....... ##include $RULE_PATH/emerging-activex.rules #include $RULE_PATH/emerging-rpc.rules #include $RULE_PATH/emerging-virus.rules #include $RULE_PATH/emerging-attack_response.rules ....... ##include $RULE_PATH/emerging-web_specific_apps.rules ##include $RULE_PATH/emerging-deleted.rules #include $RULE_PATH/emerging-malware.rules ........ #include $RULE_PATH/emerging-worm.rules ............. #include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-tftp.rules .................... I think this may be because Oinkmaster downloads emerging.conf at 2:00 am every morning, so it overwrites the one I configured before, my questions would be: 1.) Is this the right way for Snort to use ET rules by modifying the emerging.conf as above (removing # from rules of virus, trojan, p2p etc) ? 2.) How can I keep the modified emerging.conf from being overwritten to a new downloaded one from ET? Any information and help would be much appreciated. Thanks Regards John ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Jun Wan (Nov 29)
- Re: [Emerging-Sigs] (no subject) Joel Esler (Nov 29)
- ET rules in emerging.conf deactivated after updating via Oinkmaster&cron Jun Wan (Nov 29)
- Re: [Emerging-Sigs] (no subject) waldo kitty (Nov 29)
- Re: [Emerging-Sigs] (no subject) Jun Wan (Nov 30)
- Re: [Emerging-Sigs] (no subject) waldo kitty (Nov 30)
- Re: [Emerging-Sigs] (no subject) Jun Wan (Nov 30)