Clicky

I installed oinkmaster so I can update snort rules, but I can't get it to work.  Does the oinkmaster.conf file need to be in the same folder as all the snort rules?

asked 08/25/2011 11:10

denver218's gravatar image

denver218 ♦♦


8 Answers:
Oinkmaster comes with command line switches like "-c" so the configuration file does not need to be in the Snort rules directory (it could be in /etc or /usr/local/etc) and saying "doesn't work" does not provide any information that helps us help you. The "-T" flag is for testing your setup (best not use "-q" or "-Q" at the time of testing) so you can post more information. If you do please post: 0) the complete command line you use to run oinkmaster, 1) the oinkmaster.conf (but like 'grep -v ^# /path/to/oinkmaster.conf|grep .;') and 2) any (error) output from running oinkmaster. *Also note that errors from having Oinkmaster fetch Sourcefire VRT Snort rule sets without registered user account is not an Oinkmaster but a wetware error.
link
unSpawn's gravatar image

unSpawn

My oinkmaster.conf file is in the /etc directory.  Below is a portion of my oinkmaster.conf file.  The only line I added is the one that is not commented out.

# This is the default Debian configuration for oinkmaster
# Fore more information on how to customise this file with
# further options please check /usr/share/doc/oinkmater/examples
# for the original (bigger and more verbose) configuration file.

# -------------------------
# Location of rules archive
# -------------------------
# NOTE: this might need to be changed based on the Snort version
# you are running. This configuration files uses Snort 2.2.x
#url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<47d9fd4ef7b61d2f52ec988cfe9af50a3351c07c>/snortrules-snapshot-2905.tar.gz
# For Snort 2.1
#url = http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz

# For Snort 2.0
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_0.tar.gz
# To use CVS snapshots
# url = http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz

 I think I am using the wrong syntax to test this.
link
denver218's gravatar image

denver218

When I run "oinkmaster.pl -o /usr/local/snort/rules" it says oinkmaster.pl - command not found
link
denver218's gravatar image

denver218

Remove angled brackets from URI in oinkmaster.conf and supply full path to oinkmaster.pl as it appears to be outside your users $PATH statement.
link
unSpawn's gravatar image

unSpawn

Ok I removed the brakets.  If I paste the url into my browser it works,  I can download the rules.  If I run "oinkmaster.pl -o /usr/local/snort/rules" it still says oinkmaster.pl:  command not found.

My snort rules are in  /usr/local/snort/rules
My oinkmaster.conf is in /etc

I'm not sure what I'm doing wrong here.
link
denver218's gravatar image

denver218

Ok, I got it to work using ./oinkmaster.pl -o .usr/local/snort/rules, but I had some rules commented out and since I updated the rules they are now longer commented out.  for example for rule "shellcode.rules" I had about 4 things commented out in the rule and when i updated them are no longer commented out.  Is there a way I can updated this rules with this happening?
link
denver218's gravatar image

denver218

Yes, by finding out which SID number the rules have and adding each number to a "disablesid" line in oinkmaster.conf. Example:
1:
disablesid 647, 10504, 12798
link
unSpawn's gravatar image

unSpawn

Thanks
link
denver218's gravatar image

denver218

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1
×10
×2

Asked: 08/25/2011 11:10

Seen: 629 times

Last updated: 08/29/2011 01:47