After registering with Snort.org, logging in, and clicking the "Get Code" button at the bottom of the User Preferences page, I added the code to my oinkmaster.conf file.
url = http://www.snort.org/pub-bin/oinkmaster.cgi/codegoeshere/
snortrules-snapshot-2.3.tar.gz
Then I ran Oinkmaster in the /nsm/rules/testing directory on my Sguild server.
allison:/root# oinkmaster -v -o /nsm/rules/testing
Loading /usr/local/etc/oinkmaster.conf
Adding file to ignore list: local.rules.
Adding file to ignore list: deleted.rules.
Adding file to ignore list: snort.conf.
Found gzip binary in /usr/bin
Found tar binary in /usr/bin
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/codegoeshere/
snortrules-snapshot-2.3.tar.gz...
--18:45:57-- http://www.snort.org/pub-bin/oinkmaster.cgi/codegoeshere/
snortrules-snapshot-2.3.tar.gz
=> `/tmp/oinkmaster.5846XLP3r9/url.s8OALJAggP/snortrules.tar.gz'
Resolving www.snort.org... done.
Connecting to www.snort.org[199.107.65.177]:80... connected.
HTTP request sent, awaiting response... 200 OK
...edited...
18:46:00 (500.29 KB/s) - `/tmp/oinkmaster.5846XLP3r9/url.s8OALJAggP/
snortrules.tar.gz' saved [766903]
Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules...
disabled 0, enabled 0, modified 0, total=3166
Setting up rules structures... done.
Comparing new files to the old ones... done.
Updating rules... done.
[***] Results from Oinkmaster started 20050626 18:46:25 [***]
...truncated...
I noticed the following added to the rules files, like x11.rules.
-> Added to x11.rules (17):
# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules"). The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved. All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights). In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
The old copyrights are gone.
-> Removed from x11.rules (2):
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
Now that the rules in /nsm/rules/testing are updated, I perform a quick sanity check to see if they work with my snort.conf and version of Snort.
snort -T -c /usr/local/etc/snort.conf
Running in IDS mode
Initializing Network Interface xl0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface xl0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /usr/local/etc/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
...edited...
2699 Snort rules read...
2699 Option Chains linked into 193 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
...edited...
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.3.3 (Build 14)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.
Snort sucessfully loaded all rules and checked all rule chains!
...edited...
Snort exiting
Now that I know Snort will run with the new rules, I copy them to the directories on the Sguil server corresponding to the rules used on a sensor. I also copy them to the sensor itself after creating an archive of the new rules.
Once I unpack the new rules on the sensor, I try running 'snort -T' again to double-check the validity of the rules. If the rules pass (and they should, being a copy of what I just validated), I shut down the old Snort process and start a new one.
Tidak ada komentar:
Posting Komentar