[Oisf-users] Need some help with VRT Rules, and autoupdating with oinkmaster
Peter Manev
petermanev at gmail.com
Mon Oct 9 08:28:50 UTC 2017
On 2 Oct 2017, at 15:49, David Woodfall <dave at dawoodfall.net> wrote:
>> Hi
>>
>> I have just got started with suricata 4.0.0. I am not sure which VRT
>> rules I should be getting.
As an FYI
Although Suricata offers some compatibility with VRT it is not 100% and VRT rules are neither written nor focused and tested for Suricata performance (or using some of its advanced features as ET Open/Pro Suricata specific rule sets ).
In my testing - live and pcap runs (right out of the box) - it actually hurts Suricata performance by a margin of 20-40%
>>
>> I grabbed snortrules-snapshot-29110.tar.gz a short while ago and
>> copied rules/*rules to /etc/suricata/rules then I did a 'cat
>> etc/sid-msg-map >> /etc/suricata/rules/sid-msg-map'.
>>
>> I restarted suricata and saw no errors, so now I guess I'm waiting for
>> a rule match to occur in fast.log.
>>
>> I have a cron.daily job running oinkmaster for emerging rules, and I
>> think I'm going to have to think a bit about how to merge the
>> sid-msg-map with the one supplied with VRT:
>>
>> The cron.daily/oinkmaster command:
>> /usr/sbin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/suricata/rules
>>
>> /etc/oinkmaster.conf:
>> url =
>> https://rules.emergingthreats.net/open/suricata-3.2/emerging.rules.tar.gz
>>
>> If anyone can give some hints/tips etc. I'd be very grateful.
>>
>> Thanks
>>
>> Dave
>
> Sorry for replying to my own post. This is the solution that I've come
> with:
>
> When I get the snort VRT rules tarball, I untar it in /etc/snort. Then
> I have a daily cronjob:
>
> ####
> root at blackswan:pts/16-> /etc/cron.daily (0)
> cat oinkmaster
> #!/bin/sh
>
> /usr/sbin/oinkmaster.pl -C /etc/oinkmaster.conf \
> -o /etc/suricata/rules/new >/dev/null 2>&1
>
> mv /etc/suricata/rules/new/*rules /etc/suricata/rules
>
> cat /etc/snort/etc/classification.config \
> /etc/suricata/rules/new/classification.config | \
> sort -u > /etc/suricata/rules/classification.config
>
> cat /etc/snort/etc/reference.config \
> /etc/suricata/rules/new/reference.config | \
> sort -u > /etc/suricata/rules/reference.config
>
> cat /etc/snort/etc/sid-msg.map \
> /etc/suricata/rules/new/sid-msg.map | \
> sort -u > /etc/suricata/rules/sid-msg.map
> ####
>
> It seems to work, but there are problems with whitespace in the
> reference.config which cause some double entries. I'm not sure if
> that's a problem yet.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list