Snort mailing list archives
Re: ET rules in emerging.conf deactivated after updating via Oinkmaster&cron
From: Jun Wan <junwei_wan () hotmail com>
Date: Tue, 30 Nov 2010 00:40:48 +0000
Hi, Sorry for sending an email without any content in "subject", I was tired last night. So I sent it again this morning, this time with something in the subject. Many thanks for responding my “no subject’ email from Joel and Matt, please see below in case someone is interested in this subject. From Joel Esler John, have you looked into pulledpork? http://code.google.com/p/pulledpork/ Check it out for updating rules. Sent from my iPad
From Matthew Jonkman
I also recommend Pulled Pork as Joel recommended. I'd also recommend that you take the emerging.cong and just pull into your traditional snort.conf what you need. snort.conf shouldn't ever be overwritten, and then all of your config is in the same place. Pulled pork and other tools should tell you when you have a change in emerging.conf you need to consider using. For example we're pushing out a SCADA ruleset soon in a separate file, so you'll need to add that to your config if you want to run those rules. That will show in the emerging.conf and you can add to your snort,conf if you desire. Does that help? Matt
Regards John From: junwei_wan () hotmail com To: snort-users () lists sourceforge net; emerging-sigs () emergingthreats net Date: Mon, 29 Nov 2010 21:24:57 +0000 Subject: [Snort-users] ET rules in emerging.conf deactivated after updating via Oinkmaster&cron Hi, I am running Snort 2.8.6.0 with oinkmaster scheduled by cron to run an update every 2:00 am. I have a very simple oinkmaster.conf, I add nothing but the following two lines in oinkmaster.conf (I haven't gone through the rules files taking down the sids to disable, etc) , please see the following: sudo vi /usr/local/etc/oinkmaster.conf url = http://www.snort.org/pub-bin/oinkmaster.cgi/a93935045ae0f18b52cb7a18df2e1fded2db292e/snortrules-snapshot-2860.tar.gz url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz Cron does a good job every 2:00 am as I can see lots of rules are updated via" ls -l /usr/local/snort/rules", please see the following: ............... -rw-r--r-- 1 root root 558418 2010-11-28 02:01 emerging-trojan.rules -rw-r--r-- 1 root root 222930 2010-11-28 02:01 emerging-user_agents.rules -rw-r--r-- 1 root root 26489 2010-11-21 02:01 emerging-virus.rules -rw-r--r-- 1 root root 6974 2010-11-11 02:01 emerging-voip.rules -rw-r--r-- 1 root root 48160 2010-11-25 02:01 emerging-web_client.rules -rw-r--r-- 1 root root 103214 2010-11-25 02:01 emerging-web_server.rules -rw-r--r-- 1 root root 2864857 2010-11-28 02:01 emerging-web_specific_apps.rules -rw-r--r-- 1 root root 17216 2010-11-11 02:01 emerging-worm.rules -rw-r--r-- 1 1210 1210 1327 2005-05-17 08:18 experimental.rules -rw-r--r-- 1 1210 1210 131923 2010-11-28 02:01 exploit.rules -rw-r--r-- 1 1210 1210 4578 2010-10-30 16:12 finger.rules -rw-r--r-- 1 1210 1210 32417 2010-11-26 02:01 ftp.rules -rw-r--r-- 1 root root 18269 2010-10-30 13:13 gen-msg.map -rw-r--r-- 1 root root 18092 2010-10-30 13:13 gpl-2.0.txt -rw-r--r-- 1 1210 1210 16989 2010-04-30 00:27 icmp-info.rules -rw-r--r-- 1 1210 1210 5546 2010-11-26 02:01 icmp.rules -rw-r--r-- 1 1210 1210 32828 2010-11-26 02:01 imap.rules -rw-r--r-- 1 1210 1210 1043 2010-04-30 00:27 info.rules ............... And I add emerging.conf in the follwoing: sudo vi /usr/local/snort/etc/snort.conf .............. include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules include $RULE_PATH/emerging.conf ................. VRT rules are the foundation of detecting abnormal network activities whilst Emergingthreats is rules I want to use as well to cover virus, trojan, malware etc, so I did the following: sudo vi /usr/local/snort/rules/emerging.conf #include $RULE_PATH/classification.config #include $RULE_PATH/reference.config ..... include $RULE_PATH/emerging-trojan.rules #include $RULE_PATH/emerging-games.rules ....... ##include $RULE_PATH/emerging-activex.rules #include $RULE_PATH/emerging-rpc.rules include $RULE_PATH/emerging-virus.rules #include $RULE_PATH/emerging-attack_response.rules ....... ##include $RULE_PATH/emerging-web_specific_apps.rules ##include $RULE_PATH/emerging-deleted.rules include $RULE_PATH/emerging-malware.rules ........ include $RULE_PATH/emerging-worm.rules ............. include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-tftp.rules .................... I did some testing with p2p traffic, an Alert generated by the ET p2p rule, which is good, but the problem is that all the rules I enabled in emerging.conf, e.g. trojan, malware, p2p etc, are disabled next morning, and I get the following every morning: sudo vi /usr/local/snort/rules/emerging.conf #include $RULE_PATH/classification.config #include $RULE_PATH/reference.config ..... #include $RULE_PATH/emerging-trojan.rules #include $RULE_PATH/emerging-games.rules ....... ##include $RULE_PATH/emerging-activex.rules #include $RULE_PATH/emerging-rpc.rules #include $RULE_PATH/emerging-virus.rules #include $RULE_PATH/emerging-attack_response.rules ....... ##include $RULE_PATH/emerging-web_specific_apps.rules ##include $RULE_PATH/emerging-deleted.rules #include $RULE_PATH/emerging-malware.rules ........ #include $RULE_PATH/emerging-worm.rules ............. #include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-tftp.rules .................... I think this may be because Oinkmaster downloads emerging.conf at 2:00 am every morning, so it overwrites the one I configured before, my questions would be: 1.) Is this the right way for Snort to use ET rules by modifying the emerging.conf as above (removing # from rules of virus, trojan, p2p etc) ? 2.) How can I keep the modified emerging.conf from being overwritten to a new downloaded one from ET? Any information and help would be much appreciated. Thanks Regards John ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Jun Wan (Nov 29)
- Re: [Emerging-Sigs] (no subject) Joel Esler (Nov 29)
- ET rules in emerging.conf deactivated after updating via Oinkmaster&cron Jun Wan (Nov 29)
- Re: ET rules in emerging.conf deactivated after updating via Oinkmaster&cron Jun Wan (Nov 29)
- Re: [Emerging-Sigs] (no subject) waldo kitty (Nov 29)
- Re: [Emerging-Sigs] (no subject) Jun Wan (Nov 30)
- Re: [Emerging-Sigs] (no subject) waldo kitty (Nov 30)
- Re: [Emerging-Sigs] (no subject) Jun Wan (Nov 30)