[Snort-users] [Emerging-Sigs] (no subject)

Joel Esler jesler at ...1935...
Mon Nov 29 07:10:56 EST 2010


John, have you looked into pulledpork?

http://code.google.com/p/pulledpork/

Check it out for updating rules. 

Sent from my iPad

On Nov 29, 2010, at 5:36 AM, Jun Wan <junwei_wan at ...125...> wrote:

> Hi,
>  
> I am running Snort 2.8.6.0 with oinkmaster scheduled by cron to run an update every 2:00 am. I have a very simple oinkmaster.conf, I add nothing but the following two lines in oinkmaster.conf (I haven't gone through the rules files taking down the sids to disable, etc) , please see the following:
> sudo vi /usr/local/etc/oinkmaster.conf
> url = http://www.snort.org/pub-bin/oinkmaster.cgi/a93935045ae0f18b52cb7a18df2e1fded2db292e/snortrules-snapshot-2860.tar.gz
> url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz
>  
>  Cron does a good job every 2:00 am as I can see lots of rules are updated via" ls -l /usr/local/snort/rules", please see the following:
> ...............
> -rw-r--r-- 1 root root  558418 2010-11-28 02:01 emerging-trojan.rules
> -rw-r--r-- 1 root root  222930 2010-11-28 02:01 emerging-user_agents.rules
> -rw-r--r-- 1 root root   26489 2010-11-21 02:01 emerging-virus.rules
> -rw-r--r-- 1 root root    6974 2010-11-11 02:01 emerging-voip.rules
> -rw-r--r-- 1 root root   48160 2010-11-25 02:01 emerging-web_client.rules
> -rw-r--r-- 1 root root  103214 2010-11-25 02:01 emerging-web_server.rules
> -rw-r--r-- 1 root root 2864857 2010-11-28 02:01 emerging-web_specific_apps.rules
> -rw-r--r-- 1 root root   17216 2010-11-11 02:01 emerging-worm.rules
> -rw-r--r-- 1 1210 1210    1327 2005-05-17 08:18 experimental.rules
> -rw-r--r-- 1 1210 1210  131923 2010-11-28 02:01 exploit.rules
> -rw-r--r-- 1 1210 1210    4578 2010-10-30 16:12 finger.rules
> -rw-r--r-- 1 1210 1210   32417 2010-11-26 02:01 ftp.rules
> -rw-r--r-- 1 root root   18269 2010-10-30 13:13 gen-msg.map
> -rw-r--r-- 1 root root   18092 2010-10-30 13:13 gpl-2.0.txt
> -rw-r--r-- 1 1210 1210   16989 2010-04-30 00:27 icmp-info.rules
> -rw-r--r-- 1 1210 1210    5546 2010-11-26 02:01 icmp.rules
> -rw-r--r-- 1 1210 1210   32828 2010-11-26 02:01 imap.rules
> -rw-r--r-- 1 1210 1210    1043 2010-04-30 00:27 info.rules 
> ...............
>  
> And I add emerging.conf in the follwoing:
>  
> sudo vi /usr/local/snort/etc/snort.conf 
>  
> ..............
>  
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/emerging.conf
> .................
>  
>  
> VRT rules are the foundation of detecting abnormal network activities whilst  Emergingthreats is rules I want to use as well to cover virus, trojan, malware etc, so I did the following:
>  
> sudo vi /usr/local/snort/rules/emerging.conf
>  
> #include $RULE_PATH/classification.config
> #include $RULE_PATH/reference.config
>  
> .....
> include $RULE_PATH/emerging-trojan.rules
> #include $RULE_PATH/emerging-games.rules
> .......
> ##include $RULE_PATH/emerging-activex.rules
> #include $RULE_PATH/emerging-rpc.rules
> include $RULE_PATH/emerging-virus.rules
> #include $RULE_PATH/emerging-attack_response.rules
> .......
> ##include $RULE_PATH/emerging-web_specific_apps.rules
> ##include $RULE_PATH/emerging-deleted.rules
> include $RULE_PATH/emerging-malware.rules
> ........
>  
> include $RULE_PATH/emerging-worm.rules
> .............
> include $RULE_PATH/emerging-p2p.rules
> #include $RULE_PATH/emerging-tftp.rules
> ....................
>  
> I did some testing with p2p traffic, an Alert generated by the ET p2p rule, which is good, but the problem is that all the rules I enabled in emerging.conf, e.g. trojan, malware, p2p etc, are disabled next morning, and I get the following every morning:
>  
> sudo vi /usr/local/snort/rules/emerging.conf
>  
> #include $RULE_PATH/classification.config
> #include $RULE_PATH/reference.config
>  
> .....
> #include $RULE_PATH/emerging-trojan.rules
> #include $RULE_PATH/emerging-games.rules
> .......
> ##include $RULE_PATH/emerging-activex.rules
> #include $RULE_PATH/emerging-rpc.rules
> #include $RULE_PATH/emerging-virus.rules
> #include $RULE_PATH/emerging-attack_response.rules
> .......
> ##include $RULE_PATH/emerging-web_specific_apps.rules
> ##include $RULE_PATH/emerging-deleted.rules
> #include $RULE_PATH/emerging-malware.rules
> ........
>  
> #include $RULE_PATH/emerging-worm.rules
> .............
> #include $RULE_PATH/emerging-p2p.rules
> #include $RULE_PATH/emerging-tftp.rules
> ....................
>  
> I think this may be because Oinkmaster downloads emerging.conf at 2:00 am every morning, so it overwrites the one I configured before, my questions would be:
>  
> 1.) Is this the right way for Snort to use ET rules by modifying the emerging.conf as above (removing # from rules of virus, trojan, p2p etc) ?
> 2.) How can I keep the modified emerging.conf from being overwritten to a new downloaded one from ET?
>  
> Any information and help would be much appreciated.
>  
> Thanks
>  
> Regards
>  
> John
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...14333...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101129/086b58d6/attachment.html>


More information about the Snort-users mailing list