[Oisf-users] oinkmaster.conf to suricata-update files

Jeff Dyke jeff.dyke at gmail.com
Mon Feb 25 22:02:46 UTC 2019 

Thank Jason,  I think it would require a code change for sure, i was
reading through the rule logic on Friday and saw that it was not possible.
I got around it by simply piping the file though a sed script and grabbing
every sid from non commented out lines in emerging-scans.rules.  This will
work for me as i download all of the rules to a single server and rsync
them around.  But for other setups it may not be tenable.

I may dig a bit deeper and see how this could be done by changing as little
as possible.  I found it to be a nice feature of oinkmaster b/c some of the
commented out rules are very quick to block local/loopback traffic.

I'll look into it a bit more and open a hopefully detailed ticket.

On Sun, Feb 24, 2019 at 7:10 PM Jason Ish <jason.ish at oisf.net> wrote:

> On 2019-02-21 12:47 p.m., Jeff Dyke wrote:
> > Very hesitant to ask another question after i forgot to check
> permissions :)
>
> Don't be :)
>
> >
> > Anyway.  In oinkmaster.conf i have
> >
> > define_template make_drop "^alert" | "drop"
> >
> > use_template make_drop drop.rules, tor.rules, ciarmy.rules,
> compromised.rules, emerging-scan.rules, emerging-malware.rules,
> dshield.rules
> >
> > This is designed to drop everything that is not commented out, but if i
> > add emerging-scan.rules to drop.conf, suricata-update seems to process
> > the drop file last, so i'm looking for an analogous way to support
> > converting alerts to drops only if they are not commented out. The
> > biggest issue i have is that the commented out rules in this file,
> > include same source/destination and local calls sids 2100528 and
> > 2100527, which i have in disable.conf, but that is processed before
> > drop.conf
> >
> > In the example above, i was able to support anything that the
> > maintainers felt didn't need to be in the file.
>
> I can't think off-hand of an easy way to replicate this feature from
> Oinkmaster, I'm actually not familiar with it from Oinkmaster either but
> can't say I've used it much.
>
> I think its worth opening a ticket for.  Even if its resolvable without
> code changes, it would probably still make a good documentation addition.
>
> Thanks,
> Jason
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190225/a2e1d639/attachment.html>

More information about the Oisf-users mailing list