I released an updated Sguil Installation Guide today that shows how to replace the Snort stream4 keepstats-based session data collection system with John Curry's SANCP code. SANCP is a better option than stream4, as SANCP tracks not only TCP like stream4 but also UDP and ICMP. The flows are also easier to work with, since they tend to occupy single entries.
I've also been experimenting with the best way to use Oinkmaster with my preferred directory layouts. When Oinkmaster runs, it works in the directory specified. For example:
perl ./oinkmaster.pl -b /tmp -o /usr/local/etc/snort/rules
-C /usr/local/etc/snort/oinkmaster.conf
This syntax will tell Oinkmaster to place the files it manipulates in the /usr/local/etc/snort/rules directory. Besides the .rules files, this includes other important files:
-> classification.config
-> gen-msg.map
-> reference.config
-> sid-msg.map
-> threshold.conf
-> unicode.map
I like to keep these in /usr/local/etc/snort. To deal with this, I replaced these files in /usr/local/etc/snort with symlinks to the real files in /usr/local/etc/snort/rules:
orr:/usr/local/etc/snort# rm classification.config gen-msg.map reference.config
sid-msg.map threshold.conf unicode.map
orr:/usr/local/etc/snort# ln -s rules/classification.config classification.config
orr:/usr/local/etc/snort# ln -s rules/gen-msg.map gen-msg.map
orr:/usr/local/etc/snort# ln -s rules/reference.config reference.config
orr:/usr/local/etc/snort# ln -s rules/sid-msg.map sid-msg.map
orr:/usr/local/etc/snort# ln -s rules/threshold.conf threshold.conf
orr:/usr/local/etc/snort# ln -s rules/unicode.map unicode.map
This may seem a waste of time, but I have /usr/local/etc/snort coded into many of the Sguil config files as the location of these various .conf and .map configuration files.
0 komentar:
Posting Komentar