[Emerging-Sigs] The New Rulesets are Ready!!

Weir, Jason jason.weir at nhrs.org
Wed Oct 13 13:49:54 EDT 2010


Looks like I have a solution - Thanks Kevin for the inspiration....

First I changed my script that runs oinkmaster to the following

	#!/bin/sh

	/usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf -o /etc/snort/rules/vrt
	/usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf -o /etc/snort/rules/et

	cp /etc/snort/rules/vrt/*.* /etc/snort/rules
	cp /etc/snort/rules/et/*.* /etc/snort/rules

in the vrt.conf file I disabled all the overlaping rules - included in the attached txt file

I also use Andreas Östling's create-sidmap.pl which also complained about the duplicate SIDs in the rules dir.

On line 101 of create-sidmap.pl I added the following line to skip disabled rules

	next if ($single =~ /^\#/);

Now I get all the ET Open rules and all the VRT free rules (with community rules disabled)

Hope someone gets some use out of it.

-J

-----Original Message-----
From: Kevin Ross [mailto:kevross33 at googlemail.com] 
Sent: Wednesday, October 13, 2010 9:02 AM
To: Weir, Jason; emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] The New Rulesets are Ready!!


Possible have 2 different oinkmasters/pulledporks scheduled to run. One for the VRT rules and the other for ET (doesn't matter if you duplicate the sigs for disabled and modifies, will skip if it isn't there). That way you can download the VRT rules and have your update script disable the appropriate sids and then have ET pulled down and do the modifications seperately, that way oinkmaster/pulledpork is not pulling down 2 rulesets with duplicated sigs so it can handle them. Not tried but I think that would work.


On 13 October 2010 13:37, Weir, Jason <jason.weir at nhrs.org> wrote:

Matt,

Maybe I'm missing something...

If I use the open-nongpl + vrt free rulesets then I wont get the updated
GPL rules from you guys..

To get the updated GPL rules I will need to skip the VRT free rules
which means missing out on a bunch of rules there.

I was trying to come up with a way to have the best of both worlds and
use the VRT free rules but also get the updated GPL rules from ET.

What's your reason behind not changing the SIDs?

I'm lobbying for SID changes because I could then use oinkmaster to
disable the VRT GPL rules and have my cake and eat it too..

But I know it's not your job to ensure compatability between VRT &
ET....

If anybody has another option I'm missing - please let me know..

-J


-----Original Message-----
From: Matthew Jonkman [mailto:jonkman at emergingthreatspro.com]
Sent: Tuesday, October 12, 2010 6:34 PM
To: Weir, Jason
Cc: Emerging Threats Threats emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] The New Rulesets are Ready!!


On Oct 11, 2010, at 8:43 AM, Weir, Jason wrote:

> Thanks Matt (and ET team), Awesome job!!!
>
> Quick question.
>
> Going forward will you be updating the GPL rules? Will they get new
> SIDs?
>

No, we won't re-sid them. But they will be updated. There are some
SERIOUS performance hogs, we're fixing as we can.

> Reason I ask is I run the VRT free rules as well as the ET open rules.
>
> The problem is the 409 overlaps you describe below
>
> With oinkmaster I can't figure out how to disable the GPL rules from
> VRT (by sid) without disabling the same SIDs in the ET rules.
>

I imagine you've seen by now (I'm late in replying) But I put up a
tarball that'll not have the gpl sigs. open-nogpl.

Have you tried that one, and if so is it solving the problem?

Thanks

Matt

> Any ideas?
>
> -Jason
_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: overlap.txt
Url: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101013/20132f39/overlap-0001.txt


More information about the Emerging-sigs mailing list