Automatically Update Snort’s Rules
Keep your Snort rules up-to-date with Oinkmaster.
If you have only a handful of IDS
sensors, keeping your Snort rules up-to-date is a fairly quick and
easy process. However, as the number of sensors grows it can become
more difficult. Luckily, you automatically update your Snort rules
with Oinkmaster
(http://oinkmaster.sourceforge.net/news.shtml).
Oinkmaster
is a Perl script that does much more
than just download new Snort rules. It will also modify the newly
downloaded rules according to rules that you specify or selectively
disable them, which is useful when you’ve modified
the standard Snort rules to fit your environment more closely or have
disabled a rule that was reporting too many false positives.
To install Oinkmaster
, simply download the
source distribution and unpack it. Then copy the
oinkmaster.pl
file from the directory that it
creates to some suitable place on your system. In addition,
you’ll need to copy the
oinkmaster.conf
file to either
/etc
or /usr/local/etc
. The
oinkmaster.conf
that comes with the source
distribution is full of comments explaining all the minute options
that you can configure. Oinkmaster is most
useful for when you want to update your rules but have a set of rules
that you don’t want enabled and that are already
commented out in your current Snort rules. To have
Oinkmaster automatically disable these rules,
use the disablesid
directive with the Snort rule ID that you want disabled when your rules are updated. ...
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.