[Snort-users] Re: [Snort-sigs] Oinkmaster questions

Anthony Kim Anthony.Kim at ...9338...
Mon Jun 9 15:26:05 EDT 2003


On Tue, Jun 10, 2003, Russell Fulton wrote:

> On Tue, 2003-06-10 at 07:00, Philip Davidson wrote:
> > Hello all,
> > 
> >  
> > 
> > Has anyone ever had any problems with letting oinkmaster be
> > fully automated?  Some documentation that I have says that it
> > could be unreliable for a couple of reasons.  But I am
> > wondering if anyone has ever had any problems like snort
> > messing up as a result of full automation.
> 
> There have been *very* occasional glitches where new rules have
> trigged bugs in some configurations.  I have my own equivalent
> of oinkmaster (I'm currently dumping it in favour of
> oinkmaster) and I have had problems with it barfing on some new
> rules that it did not know how to handle.  Oinkmaster is
> probably more robust in this respect -- it does not try to be
> as smart as mine ;-) and is more stable because of it.

I was considering adding md5 checksum verification to oinkmaster
at some point but never got around to it.

Anyhow for now I use make, sed, and CVS which works fine.

md5 checking can look a little like this in your Makefile:

checksum:
	CKSUM=`md5sum snortrules-stable.tar.gz | awk '{print $$1}'`;\
	grep $$CKSUM snortrules-stable.tar.gz.md5 >/dev/null 2>&1 || \
		(echo "Checksum does not match!" && exit 1)

Oinkmaster does have a simple elegance to it and is preferable
for most people I'm sure.





More information about the Snort-users mailing list