Home page logo
/

snort logo Snort mailing list archives

Re: ET rules in emerging.conf deactivated after updating via Oinkmaster&cron
From: Jun Wan <junwei_wan () hotmail com>
Date: Tue, 30 Nov 2010 00:40:48 +0000


Hi,
 
Sorry for sending an email without any content in "subject", I was tired last night.
 
So I sent it again this morning, this time with something in the subject.
 
Many thanks for responding my “no subject’ email from Joel and Matt, please see below in case someone is interested in 
this subject.
 
 From Joel Esler
 
John, have you looked into pulledpork?
 
http://code.google.com/p/pulledpork/
 
Check it out for updating rules. 

Sent from my iPad

 

From Matthew Jonkman
 
I also recommend Pulled Pork as Joel recommended. I'd also recommend that you take the emerging.cong and just pull into 
your traditional snort.conf what you need. snort.conf shouldn't ever be overwritten, and then all of your config is in 
the same place.  
 
Pulled pork and other tools should tell you when you have a change in emerging.conf you need to consider using. For 
example we're pushing out a SCADA ruleset soon in a separate file, so you'll need to add that to your config if you 
want to run those rules. That will show in the emerging.conf and you can add to your snort,conf if you desire. 
 
Does that help?
 
Matt

 
Regards
 
John

 


From: junwei_wan () hotmail com
To: snort-users () lists sourceforge net; emerging-sigs () emergingthreats net
Date: Mon, 29 Nov 2010 21:24:57 +0000
Subject: [Snort-users] ET rules in emerging.conf deactivated after updating via Oinkmaster&cron




Hi,

 
I am running Snort 2.8.6.0 with oinkmaster scheduled by cron to run an update every 2:00 am. I have a very simple 
oinkmaster.conf, I add nothing but the following two lines in oinkmaster.conf (I haven't gone through the rules files 
taking down the sids to disable, etc) , please see the following:
sudo vi /usr/local/etc/oinkmaster.conf
url = 
http://www.snort.org/pub-bin/oinkmaster.cgi/a93935045ae0f18b52cb7a18df2e1fded2db292e/snortrules-snapshot-2860.tar.gz
url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz
 
 Cron does a good job every 2:00 am as I can see lots of rules are updated via" ls -l /usr/local/snort/rules", please 
see the following:
...............
-rw-r--r-- 1 root root  558418 2010-11-28 02:01 emerging-trojan.rules
-rw-r--r-- 1 root root  222930 2010-11-28 02:01 emerging-user_agents.rules
-rw-r--r-- 1 root root   26489 2010-11-21 02:01 emerging-virus.rules
-rw-r--r-- 1 root root    6974 2010-11-11 02:01 emerging-voip.rules
-rw-r--r-- 1 root root   48160 2010-11-25 02:01 emerging-web_client.rules
-rw-r--r-- 1 root root  103214 2010-11-25 02:01 emerging-web_server.rules
-rw-r--r-- 1 root root 2864857 2010-11-28 02:01 emerging-web_specific_apps.rules
-rw-r--r-- 1 root root   17216 2010-11-11 02:01 emerging-worm.rules
-rw-r--r-- 1 1210 1210    1327 2005-05-17 08:18 experimental.rules
-rw-r--r-- 1 1210 1210  131923 2010-11-28 02:01 exploit.rules
-rw-r--r-- 1 1210 1210    4578 2010-10-30 16:12 finger.rules
-rw-r--r-- 1 1210 1210   32417 2010-11-26 02:01 ftp.rules
-rw-r--r-- 1 root root   18269 2010-10-30 13:13 gen-msg.map
-rw-r--r-- 1 root root   18092 2010-10-30 13:13 gpl-2.0.txt
-rw-r--r-- 1 1210 1210   16989 2010-04-30 00:27 icmp-info.rules
-rw-r--r-- 1 1210 1210    5546 2010-11-26 02:01 icmp.rules
-rw-r--r-- 1 1210 1210   32828 2010-11-26 02:01 imap.rules
-rw-r--r-- 1 1210 1210    1043 2010-04-30 00:27 info.rules  
...............
 
And I add emerging.conf in the follwoing:
 
sudo vi /usr/local/snort/etc/snort.conf  
 
..............
 
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/emerging.conf
.................
 
 
VRT rules are the foundation of detecting abnormal network activities whilst  Emergingthreats is rules I want to use as 
well to cover virus, trojan, malware etc, so I did the following:
 
sudo vi /usr/local/snort/rules/emerging.conf 
 
#include $RULE_PATH/classification.config
#include $RULE_PATH/reference.config
 
.....
include $RULE_PATH/emerging-trojan.rules
#include $RULE_PATH/emerging-games.rules
.......
##include $RULE_PATH/emerging-activex.rules
#include $RULE_PATH/emerging-rpc.rules
include $RULE_PATH/emerging-virus.rules
#include $RULE_PATH/emerging-attack_response.rules
.......
##include $RULE_PATH/emerging-web_specific_apps.rules
##include $RULE_PATH/emerging-deleted.rules
include $RULE_PATH/emerging-malware.rules
........
 
include $RULE_PATH/emerging-worm.rules
.............
include $RULE_PATH/emerging-p2p.rules
#include $RULE_PATH/emerging-tftp.rules
....................
 
I did some testing with p2p traffic, an Alert generated by the ET p2p rule, which is good, but the problem is that all 
the rules I enabled in emerging.conf, e.g. trojan, malware, p2p etc, are disabled next morning, and I get the following 
every morning:
 
sudo vi /usr/local/snort/rules/emerging.conf 
 
#include $RULE_PATH/classification.config
#include $RULE_PATH/reference.config
 
.....
#include $RULE_PATH/emerging-trojan.rules
#include $RULE_PATH/emerging-games.rules
.......
##include $RULE_PATH/emerging-activex.rules
#include $RULE_PATH/emerging-rpc.rules
#include $RULE_PATH/emerging-virus.rules
#include $RULE_PATH/emerging-attack_response.rules
.......
##include $RULE_PATH/emerging-web_specific_apps.rules
##include $RULE_PATH/emerging-deleted.rules
#include $RULE_PATH/emerging-malware.rules
........
 
#include $RULE_PATH/emerging-worm.rules
.............
#include $RULE_PATH/emerging-p2p.rules
#include $RULE_PATH/emerging-tftp.rules
....................
 
I think this may be because Oinkmaster downloads emerging.conf at 2:00 am every morning, so it overwrites the one I 
configured before, my questions would be:
 
1.) Is this the right way for Snort to use ET rules by modifying the emerging.conf as above (removing # from rules of 
virus, trojan, p2p etc) ?
2.) How can I keep the modified emerging.conf from being overwritten to a new downloaded one from ET?
 
Any information and help would be much appreciated.
 
Thanks
 
Regards
 
John
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App 
& Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for 
Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are 
up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users 
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App 
& Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for 
Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are 
up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users                                           
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]