Hints on Using Oinkmaster and Sguil

I released an updated Sguil Installation Guide today that shows how to replace the Snort stream4 keepstats-based session data collection system with John Curry's SANCP code. SANCP is a better option than stream4, as SANCP tracks not only TCP like stream4 but also UDP and ICMP. The flows are also easier to work with, since they tend to occupy single entries.

I've also been experimenting with the best way to use Oinkmaster with my preferred directory layouts. When Oinkmaster runs, it works in the directory specified. For example:

perl ./oinkmaster.pl -b /tmp -o /usr/local/etc/snort/rules

 -C /usr/local/etc/snort/oinkmaster.conf

This syntax will tell Oinkmaster to place the files it manipulates in the /usr/local/etc/snort/rules directory. Besides the .rules files, this includes other important files:

    -> classification.config

    -> gen-msg.map

    -> reference.config

    -> sid-msg.map

    -> threshold.conf

    -> unicode.map

I like to keep these in /usr/local/etc/snort. To deal with this, I replaced these files in /usr/local/etc/snort with symlinks to the real files in /usr/local/etc/snort/rules:

orr:/usr/local/etc/snort# rm classification.config gen-msg.map reference.config  

 sid-msg.map threshold.conf unicode.map 

orr:/usr/local/etc/snort# ln -s rules/classification.config  classification.config

orr:/usr/local/etc/snort# ln -s rules/gen-msg.map gen-msg.map

orr:/usr/local/etc/snort# ln -s rules/reference.config  reference.config

orr:/usr/local/etc/snort# ln -s rules/sid-msg.map  sid-msg.map

orr:/usr/local/etc/snort# ln -s rules/threshold.conf threshold.conf

orr:/usr/local/etc/snort# ln -s rules/unicode.map unicode.map

This may seem a waste of time, but I have /usr/local/etc/snort coded into many of the Sguil config files as the location of these various .conf and .map configuration files.