[Oisf-users] Need some help with VRT Rules, and autoupdating with oinkmaster
David Woodfall
dave at dawoodfall.net
Mon Oct 2 13:49:31 UTC 2017
>Hi
>
>I have just got started with suricata 4.0.0. I am not sure which VRT
>rules I should be getting.
>
>I grabbed snortrules-snapshot-29110.tar.gz a short while ago and
>copied rules/*rules to /etc/suricata/rules then I did a 'cat
>etc/sid-msg-map >> /etc/suricata/rules/sid-msg-map'.
>
>I restarted suricata and saw no errors, so now I guess I'm waiting for
>a rule match to occur in fast.log.
>
>I have a cron.daily job running oinkmaster for emerging rules, and I
>think I'm going to have to think a bit about how to merge the
>sid-msg-map with the one supplied with VRT:
>
>The cron.daily/oinkmaster command:
>/usr/sbin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/suricata/rules
>
>/etc/oinkmaster.conf:
>url =
>https://rules.emergingthreats.net/open/suricata-3.2/emerging.rules.tar.gz
>
>If anyone can give some hints/tips etc. I'd be very grateful.
>
>Thanks
>
>Dave
Sorry for replying to my own post. This is the solution that I've come
with:
When I get the snort VRT rules tarball, I untar it in /etc/snort. Then
I have a daily cronjob:
####
root at blackswan:pts/16-> /etc/cron.daily (0)
cat oinkmaster
#!/bin/sh
/usr/sbin/oinkmaster.pl -C /etc/oinkmaster.conf \
-o /etc/suricata/rules/new >/dev/null 2>&1
mv /etc/suricata/rules/new/*rules /etc/suricata/rules
cat /etc/snort/etc/classification.config \
/etc/suricata/rules/new/classification.config | \
sort -u > /etc/suricata/rules/classification.config
cat /etc/snort/etc/reference.config \
/etc/suricata/rules/new/reference.config | \
sort -u > /etc/suricata/rules/reference.config
cat /etc/snort/etc/sid-msg.map \
/etc/suricata/rules/new/sid-msg.map | \
sort -u > /etc/suricata/rules/sid-msg.map
####
It seems to work, but there are problems with whitespace in the
reference.config which cause some double entries. I'm not sure if
that's a problem yet.
More information about the Oisf-users
mailing list