Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Updating Snort Rules Offline

From: Y M <snort () outlook com>
Date: Sun, 8 Feb 2015 05:18:05 +0000

Date: Sat, 7 Feb 2015 17:07:28 -0500
From: blueeyes.online () gmail com
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Updating Snort Rules Offline

Hello,
     I am hoping you can assist me.  I am using Security Onion and I am attempting to update my Snort IDS rules in it 
offline (it does not have internet connectivity).  I am not finding any easy steps on how to do this online anywhere.

I have downloaded the "community-rules.tar.gz" and "snortrules-snapshot-2970.tar.gz" rule packages manually from 
Snort.org already.



So far I have completed the following steps:



1. Copied both rule packages to the Desktop of Security Onion



2. Ran both Phase I and Phase II of the Security Onion setup (Security Onion is up and running now)



3. I went to the /etc/nsm/securityonion.conf file and changed the LOCAL_NIDS_RULE_TUNING=no to 
LOCAL_NIDS_RULE_TUNING=yes.



At this point where do I copy these packages to before I run the 
rule-update command for PulledPork to process them?  Am I missing any 
other steps that I need to complete first too?  



I don't know if you can help me or not, but it would be appreciated.
** While I am not particularly familiar with the internals of Security Onion, but I believe there is a specific script 
that you run to update the rules. This script most probably calls PulledPork. Trace that file to eventually find the 
poulledpork.conf file. Once you locate pulledpork.conf, check default directory from which PulledPork reads the rules 
(temp_path variable) , as well as which rules are being downloaded (rule_url variable). Make sure the rule_url 
variables are pointing to the URLs of the rules you want to download. Finally, check what allowed command line switches 
does the script that accept to verify you can use for offline updates. If you need to call PulledPork directly, you 
need to include  -n and -P to the command line to make sure you are able to process rules offline.

Sincerely,
Jeffrey Hilgers


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!                                       
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: