[Snort-users] ET rules in emerging.conf deactivated after updating via Oinkmaster&cron

Jun Wan junwei_wan at ...125...
Mon Nov 29 19:40:48 EST 2010


Hi,
 
Sorry for sending an email without any content in "subject", I was tired last night.
 
So I sent it again this morning, this time with something in the subject.
 
Many thanks for responding my “no subject’ email from Joel and Matt, please see below in case someone is interested in this subject.
 
 From Joel Esler
 
John, have you looked into pulledpork?
 
http://code.google.com/p/pulledpork/
 
Check it out for updating rules. 

Sent from my iPad
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 
 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 
>From Matthew Jonkman
 
I also recommend Pulled Pork as Joel recommended. I'd also recommend that you take the emerging.cong and just pull into your traditional snort.conf what you need. snort.conf shouldn't ever be overwritten, and then all of your config is in the same place.  
 
Pulled pork and other tools should tell you when you have a change in emerging.conf you need to consider using. For example we're pushing out a SCADA ruleset soon in a separate file, so you'll need to add that to your config if you want to run those rules. That will show in the emerging.conf and you can add to your snort,conf if you desire. 
 
Does that help?
 
Matt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 
 
Regards
 
John

 


From: junwei_wan at ...125...
To: snort-users at lists.sourceforge.net; emerging-sigs at ...14333...
Date: Mon, 29 Nov 2010 21:24:57 +0000
Subject: [Snort-users] ET rules in emerging.conf deactivated after updating via Oinkmaster&cron




Hi,

 
I am running Snort 2.8.6.0 with oinkmaster scheduled by cron to run an update every 2:00 am. I have a very simple oinkmaster.conf, I add nothing but the following two lines in oinkmaster.conf (I haven't gone through the rules files taking down the sids to disable, etc) , please see the following:
sudo vi /usr/local/etc/oinkmaster.conf
url = http://www.snort.org/pub-bin/oinkmaster.cgi/a93935045ae0f18b52cb7a18df2e1fded2db292e/snortrules-snapshot-2860.tar.gz
url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz
 
 Cron does a good job every 2:00 am as I can see lots of rules are updated via" ls -l /usr/local/snort/rules", please see the following:
...............
-rw-r--r-- 1 root root  558418 2010-11-28 02:01 emerging-trojan.rules
-rw-r--r-- 1 root root  222930 2010-11-28 02:01 emerging-user_agents.rules
-rw-r--r-- 1 root root   26489 2010-11-21 02:01 emerging-virus.rules
-rw-r--r-- 1 root root    6974 2010-11-11 02:01 emerging-voip.rules
-rw-r--r-- 1 root root   48160 2010-11-25 02:01 emerging-web_client.rules
-rw-r--r-- 1 root root  103214 2010-11-25 02:01 emerging-web_server.rules
-rw-r--r-- 1 root root 2864857 2010-11-28 02:01 emerging-web_specific_apps.rules
-rw-r--r-- 1 root root   17216 2010-11-11 02:01 emerging-worm.rules
-rw-r--r-- 1 1210 1210    1327 2005-05-17 08:18 experimental.rules
-rw-r--r-- 1 1210 1210  131923 2010-11-28 02:01 exploit.rules
-rw-r--r-- 1 1210 1210    4578 2010-10-30 16:12 finger.rules
-rw-r--r-- 1 1210 1210   32417 2010-11-26 02:01 ftp.rules
-rw-r--r-- 1 root root   18269 2010-10-30 13:13 gen-msg.map
-rw-r--r-- 1 root root   18092 2010-10-30 13:13 gpl-2.0.txt
-rw-r--r-- 1 1210 1210   16989 2010-04-30 00:27 icmp-info.rules
-rw-r--r-- 1 1210 1210    5546 2010-11-26 02:01 icmp.rules
-rw-r--r-- 1 1210 1210   32828 2010-11-26 02:01 imap.rules
-rw-r--r-- 1 1210 1210    1043 2010-04-30 00:27 info.rules  
...............
 
And I add emerging.conf in the follwoing:
 
sudo vi /usr/local/snort/etc/snort.conf  
 
..............
 
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/emerging.conf
.................
 
 
VRT rules are the foundation of detecting abnormal network activities whilst  Emergingthreats is rules I want to use as well to cover virus, trojan, malware etc, so I did the following:
 
sudo vi /usr/local/snort/rules/emerging.conf 
 
#include $RULE_PATH/classification.config
#include $RULE_PATH/reference.config
 
.....
include $RULE_PATH/emerging-trojan.rules
#include $RULE_PATH/emerging-games.rules
.......
##include $RULE_PATH/emerging-activex.rules
#include $RULE_PATH/emerging-rpc.rules
include $RULE_PATH/emerging-virus.rules
#include $RULE_PATH/emerging-attack_response.rules
.......
##include $RULE_PATH/emerging-web_specific_apps.rules
##include $RULE_PATH/emerging-deleted.rules
include $RULE_PATH/emerging-malware.rules
........
 
include $RULE_PATH/emerging-worm.rules
.............
include $RULE_PATH/emerging-p2p.rules
#include $RULE_PATH/emerging-tftp.rules
....................
 
I did some testing with p2p traffic, an Alert generated by the ET p2p rule, which is good, but the problem is that all the rules I enabled in emerging.conf, e.g. trojan, malware, p2p etc, are disabled next morning, and I get the following every morning:
 
sudo vi /usr/local/snort/rules/emerging.conf 
 
#include $RULE_PATH/classification.config
#include $RULE_PATH/reference.config
 
.....
#include $RULE_PATH/emerging-trojan.rules
#include $RULE_PATH/emerging-games.rules
.......
##include $RULE_PATH/emerging-activex.rules
#include $RULE_PATH/emerging-rpc.rules
#include $RULE_PATH/emerging-virus.rules
#include $RULE_PATH/emerging-attack_response.rules
.......
##include $RULE_PATH/emerging-web_specific_apps.rules
##include $RULE_PATH/emerging-deleted.rules
#include $RULE_PATH/emerging-malware.rules
........
 
#include $RULE_PATH/emerging-worm.rules
.............
#include $RULE_PATH/emerging-p2p.rules
#include $RULE_PATH/emerging-tftp.rules
....................
 
I think this may be because Oinkmaster downloads emerging.conf at 2:00 am every morning, so it overwrites the one I configured before, my questions would be:
 
1.) Is this the right way for Snort to use ET rules by modifying the emerging.conf as above (removing # from rules of virus, trojan, p2p etc) ?
2.) How can I keep the modified emerging.conf from being overwritten to a new downloaded one from ET?
 
Any information and help would be much appreciated.
 
Thanks
 
Regards
 
John
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users 
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101130/e4e8d4aa/attachment.html>


More information about the Snort-users mailing list