[Emerging-Sigs] The New Rulesets are Ready!!

Weir, Jason jason.weir at nhrs.org
Wed Oct 13 20:23:00 EDT 2010

I looked quickly but could not find how to make snort look in multiple rules directories - point me in the right direction kemosabe


----- Original Message -----
From: emerging-sigs-bounces at emergingthreats.net <emerging-sigs-bounces at emergingthreats.net>
To: emerging-sigs at emergingthreats.net <emerging-sigs at emergingthreats.net>
Sent: Wed Oct 13 20:09:36 2010
Subject: Re: [Emerging-Sigs] The New Rulesets are Ready!!

On 10/13/2010 13:49, Weir, Jason wrote:
> Looks like I have a solution - Thanks Kevin for the inspiration....
> First I changed my script that runs oinkmaster to the following
> 	#!/bin/sh
> 	/usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf -o /etc/snort/rules/vrt
> 	/usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf -o /etc/snort/rules/et
> 	cp /etc/snort/rules/vrt/*.* /etc/snort/rules
> 	cp /etc/snort/rules/et/*.* /etc/snort/rules
> in the vrt.conf file I disabled all the overlaping rules - included in the attached txt file

holy smokes, batman! that's almost what i was looking at ;)

execpt, why copy the files files to a central directory?? snort can easily look 
in multiple directories... that's an extra unneeded step in my book :P

> I also use Andreas Östling's create-sidmap.pl which also complained about the duplicate SIDs in the rules dir.

i use this also... oooohhhhhhh... i think i see what you are saying... multiple 
SID maps files are not handled all that well by external processing facilities???

> On line 101 of create-sidmap.pl I added the following line to skip disabled rules
> 	next if ($single =~ /^\#/);
> Now I get all the ET Open rules and all the VRT free rules (with community rules disabled)
> Hope someone gets some use out of it.

it may very well come in handy 8)

Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net

Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards


Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101013/566e3a61/attachment.html

More information about the Emerging-sigs mailing list