[Snort-users] (no subject)

Jun Wan junwei_wan at ...125...
Mon Nov 29 05:36:24 EST 2010


Hi,
 
I am running Snort 2.8.6.0 with oinkmaster scheduled by cron to run an update every 2:00 am. I have a very simple oinkmaster.conf, I add nothing but the following two lines in oinkmaster.conf (I haven't gone through the rules files taking down the sids to disable, etc) , please see the following:
sudo vi /usr/local/etc/oinkmaster.conf
url = http://www.snort.org/pub-bin/oinkmaster.cgi/a93935045ae0f18b52cb7a18df2e1fded2db292e/snortrules-snapshot-2860.tar.gz
url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz
 
 Cron does a good job every 2:00 am as I can see lots of rules are updated via" ls -l /usr/local/snort/rules", please see the following:
...............
-rw-r--r-- 1 root root  558418 2010-11-28 02:01 emerging-trojan.rules
-rw-r--r-- 1 root root  222930 2010-11-28 02:01 emerging-user_agents.rules
-rw-r--r-- 1 root root   26489 2010-11-21 02:01 emerging-virus.rules
-rw-r--r-- 1 root root    6974 2010-11-11 02:01 emerging-voip.rules
-rw-r--r-- 1 root root   48160 2010-11-25 02:01 emerging-web_client.rules
-rw-r--r-- 1 root root  103214 2010-11-25 02:01 emerging-web_server.rules
-rw-r--r-- 1 root root 2864857 2010-11-28 02:01 emerging-web_specific_apps.rules
-rw-r--r-- 1 root root   17216 2010-11-11 02:01 emerging-worm.rules
-rw-r--r-- 1 1210 1210    1327 2005-05-17 08:18 experimental.rules
-rw-r--r-- 1 1210 1210  131923 2010-11-28 02:01 exploit.rules
-rw-r--r-- 1 1210 1210    4578 2010-10-30 16:12 finger.rules
-rw-r--r-- 1 1210 1210   32417 2010-11-26 02:01 ftp.rules
-rw-r--r-- 1 root root   18269 2010-10-30 13:13 gen-msg.map
-rw-r--r-- 1 root root   18092 2010-10-30 13:13 gpl-2.0.txt
-rw-r--r-- 1 1210 1210   16989 2010-04-30 00:27 icmp-info.rules
-rw-r--r-- 1 1210 1210    5546 2010-11-26 02:01 icmp.rules
-rw-r--r-- 1 1210 1210   32828 2010-11-26 02:01 imap.rules
-rw-r--r-- 1 1210 1210    1043 2010-04-30 00:27 info.rules  
...............
 
And I add emerging.conf in the follwoing:
 
sudo vi /usr/local/snort/etc/snort.conf  
 
..............
 
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/emerging.conf
.................
 
 
VRT rules are the foundation of detecting abnormal network activities whilst  Emergingthreats is rules I want to use as well to cover virus, trojan, malware etc, so I did the following:
 
sudo vi /usr/local/snort/rules/emerging.conf 
 
#include $RULE_PATH/classification.config
#include $RULE_PATH/reference.config
 
.....
include $RULE_PATH/emerging-trojan.rules
#include $RULE_PATH/emerging-games.rules
.......
##include $RULE_PATH/emerging-activex.rules
#include $RULE_PATH/emerging-rpc.rules
include $RULE_PATH/emerging-virus.rules
#include $RULE_PATH/emerging-attack_response.rules
.......
##include $RULE_PATH/emerging-web_specific_apps.rules
##include $RULE_PATH/emerging-deleted.rules
include $RULE_PATH/emerging-malware.rules
........
 
include $RULE_PATH/emerging-worm.rules
.............
include $RULE_PATH/emerging-p2p.rules
#include $RULE_PATH/emerging-tftp.rules
....................
 
I did some testing with p2p traffic, an Alert generated by the ET p2p rule, which is good, but the problem is that all the rules I enabled in emerging.conf, e.g. trojan, malware, p2p etc, are disabled next morning, and I get the following every morning:
 
sudo vi /usr/local/snort/rules/emerging.conf 
 
#include $RULE_PATH/classification.config
#include $RULE_PATH/reference.config
 
.....
#include $RULE_PATH/emerging-trojan.rules
#include $RULE_PATH/emerging-games.rules
.......
##include $RULE_PATH/emerging-activex.rules
#include $RULE_PATH/emerging-rpc.rules
#include $RULE_PATH/emerging-virus.rules
#include $RULE_PATH/emerging-attack_response.rules
.......
##include $RULE_PATH/emerging-web_specific_apps.rules
##include $RULE_PATH/emerging-deleted.rules
#include $RULE_PATH/emerging-malware.rules
........
 
#include $RULE_PATH/emerging-worm.rules
.............
#include $RULE_PATH/emerging-p2p.rules
#include $RULE_PATH/emerging-tftp.rules
....................
 
I think this may be because Oinkmaster downloads emerging.conf at 2:00 am every morning, so it overwrites the one I configured before, my questions would be:
 
1.) Is this the right way for Snort to use ET rules by modifying the emerging.conf as above (removing # from rules of virus, trojan, p2p etc) ?
2.) How can I keep the modified emerging.conf from being overwritten to a new downloaded one from ET?
 
Any information and help would be much appreciated.
 
Thanks
 
Regards
 
John 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101129/7dc6a241/attachment.html>


More information about the Snort-users mailing list