Tuesday, September 18, 2007

bleeding and regular rules with Oinkmaster

As promised in a previous posting, here is the information about configuring oinkmaster to obtain both bleeding edge threat rules and standards snort rules.

first let's copy our /usr/local/etc/oinkmaster.conf file so that we can have a new config file for our bleeding rules.
secure2# cp /usr/local/etc/oinkmaster.conf /usr/local/etc/oinkmaster-bleeding.conf
secure2# vi /usr /local/etc/oinkmaster-bleeding.conf
#replace your url string w/ the following...
# Example for rules from the Bleeding Snort project
url = http://www.bleedingthreats.net/rules/bleeding.rules.tar.gz
#save the file
Now, let's retrieve the files and put all of the sid-msg.map trash together....for simplicity sake let's just put this into a script...
secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
cat /usr/local/etc/snort/rules/bleeding-sid-msg.map >> /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`



That's it.. now run the script or crontab it... enjoy

Cheers,
JJC

No comments: