Snort mailing list archives
RE: Now that I have my oink code
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 09 Mar 2005 14:19:42 -0600
--On Wednesday, March 09, 2005 10:48:44 AM -0800 Snortty <cwcwcwg () yahoo com> wrote:
How did you figure out the IP of the snort NATting to outbound?
Here's what I did:I wrote a shell script on an Internet-facing box. It's croned to run every night at 10PM. It fetches the rules file and puts it in (IP-restricted, access restricted, non-linked) directory on our web server. The IP of that box is fixed and never changes.
I then edited the oinkmaster.conf file to point to that location to fetch the rules files every night at 11PM. (I also changed the name of the file to snortrules.tar.gz. That way I only have to edit the shell script when the filename changes at snort.org. Oinkmaster always looks for snortrules.tar.gz.)
Note: if you're going to do this, you need to use very tight restrictions on who/what can access the file. Use a firewall or .htaccess rules to restrict the access to the one IP where oinkmaster lives.
Here's an example .htaccess file: SetEnvIf X-Cluster-Client-Ip "(192\.168\.1\.12).*$" permitted <LIMIT GET> order deny,allow deny from all allow from env=permitted </LIMIT>If you have multiple snort boxes that need to fetch the rules, just use an OR ("|") in the SetEnvIf statement (e.g. "(192\.168\.1\.12|192\.168\.1\.13).*$"
With this .htaccess file in place, the only host that can access the file from the web (or using wget or ftp) is 192.168.1.12. NOTE: if you do not restrict access to this file, you will almost certainly be in violation of Sourcefire's license agreement.
Here's the shell script: #!/bin/sh # This script downloads the snort rules to a (configurable) local directory. # Oinkmaster on buttercup2 then fetches them from that directory, so if you# change the local directory or the filename, you have to edit the "url" option
# in the config file for oinkmaster or rules updating will be broken # When the file is downloaded, we rename it snortrules.tar.gz so that the # oinkmaster.conf file never has to be edited when the rules change WGET="/usr/local/bin/wget" CHMOD="/usr/bin/chmod" RULES="snortrules-snapshot-{your version}.tar.gz" FILE="snortrules.tar.gz" RULESDIR="/path/to/your/local/dir" OINKCODE="put your oink code here" URL="http://www.snort.org/pub-bin/oinkmaster.cgi/$OINKCODE/$RULES" ${WGET} -qr -O $RULESDIR/$FILE $URL ${CHMOD} 664 $RULESDIR/$FILE
The registration instructions specifically excluded RFC 1918 addresses. You must use an "internet" address.That could be my prolems for d.l new rules after having regitered, and got Oink Code by entering my snort box IP (internal IP), it shows errors: Connecting to 192.168.103.x:8000... connected. Proxy request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file from your IP Address 18:32:37 ERROR 403: You must be a registered user with a valid oink code to download this file from your IP Address. ------------------------- where 192.168.103.x is our proxy IP.
Also, I'm running snort v2.1.2, which latest rules should work for my snort, and file name to d.l?
snortrules-snapshot-2.1.tar.gz Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Now that I have my oink code Paul Schmehl (Mar 08)
- Re: Now that I have my oink code Paul Schmehl (Mar 08)
- <Possible follow-ups>
- RE: Now that I have my oink code Joshua Berry (Mar 08)
- RE: Now that I have my oink code Snortty (Mar 09)
- RE: Now that I have my oink code Paul Schmehl (Mar 09)
- RE: Now that I have my oink code Arseneault, Thomas (HQP) (Mar 09)
- RE: Now that I have my oink code Snortty (Mar 09)
- Re: Now that I have my oink code Jason Haar (Mar 09)
- RE: Now that I have my oink code Snortty (Mar 09)
- Re: Now that I have my oink code Snortty (Mar 10)