Updating snort

Once you review and approve the changes you can use a second configuration file to actually update your sensors (See the Oinkmaster FAQ Q3 at oinkmaster.sourceforge.net).Enabling or disabling SIDs is easy; all you have to do is add the SID in question to an "enablesid" or "disablesid" line.Version 1.2 was released in April 2005 and allows 'multiple -u ...[command line] arguments or multiple "url = ..." [statements] in oinkmaster.conf' to facilitate downloading the VRT, Community and Bleeding Snort rules all at once, among other things.sostub_path=/usr/local/snort/etc/rules/so_rules.rules ... distro=Ubuntu-10.04 # For Cent OS 6.x you can use RHEL-6-0 ...

#rule_url=https:// #rule_url=https://rules.emergingthreats.net/|emerging.gz|open # THE FOLLOWING URL is for etpro downloads, note the tarball name change! #rule_url=https://rules.emergingthreats.net/|etpro.gz| ... rule_path=/usr/local/snort/etc/rules/snort.rules ... local_rules=/usr/local/snort/etc/rules/local.rules # Where should I put the file? # Path to the snort binary, we need this to generate the stub files snort_path=/usr/local/snort/bin/snort # We need to know where your file lives so that we can # generate the stub files config_path=/usr/local/snort/etc/# This is the file that contains all of the shared object rules that pulledpork # has processed, note that this has changed as of 0.4.0 just like the rules_path!I've been working on getting my snort machine up and running, and working through Snort IDS and IPS Toolkit.The authors suggest using Oinkmaster, but on that website, the last update was February of 2008. Maybe there haven't been any issues with oinkmaster in the past year and a half, but it made me wonder if there was another solution that I don't know about.Oinkmaster's documentation is well-written, which makes it a great place to start learning about the tool.If you use Snort, take the time to investigate Oinkmaster -- you won't regret it, I promise. If you have only a handful of IDS sensors, keeping your Snort rules up-to-date is a fairly quick and easy process.

You must have an account to comment. Please register or login here!