[Emerging-Sigs] The New Rulesets are Ready!!

Joel Esler jesler at sourcefire.com
Wed Oct 13 20:38:41 EDT 2010


Different variables.

RULE_PATH=/etc/snort/rules
RULE_PATH_ET=/etc/snort/rules/et

include $RULE_PATH web-iis.rules
include $RULE_PATH_ET web-iis.rules (or whatever)

J

On Wed, Oct 13, 2010 at 8:23 PM, Weir, Jason <jason.weir at nhrs.org> wrote:

>  I looked quickly but could not find how to make snort look in multiple
> rules directories - point me in the right direction kemosabe
>
>
> -J
>
> ----- Original Message -----
> From: emerging-sigs-bounces at emergingthreats.net <
> emerging-sigs-bounces at emergingthreats.net>
> To: emerging-sigs at emergingthreats.net <emerging-sigs at emergingthreats.net>
> Sent: Wed Oct 13 20:09:36 2010
> Subject: Re: [Emerging-Sigs] The New Rulesets are Ready!!
>
> On 10/13/2010 13:49, Weir, Jason wrote:
> > Looks like I have a solution - Thanks Kevin for the inspiration....
> >
> > First I changed my script that runs oinkmaster to the following
> >
> >       #!/bin/sh
> >
> >       /usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf -o
> /etc/snort/rules/vrt
> >       /usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf -o
> /etc/snort/rules/et
> >
> >       cp /etc/snort/rules/vrt/*.* /etc/snort/rules
> >       cp /etc/snort/rules/et/*.* /etc/snort/rules
> >
> > in the vrt.conf file I disabled all the overlaping rules - included in
> the attached txt file
>
> holy smokes, batman! that's almost what i was looking at ;)
>
> execpt, why copy the files files to a central directory?? snort can easily
> look
> in multiple directories... that's an extra unneeded step in my book :P
>
> > I also use Andreas Östling's create-sidmap.pl which also complained
> about the duplicate SIDs in the rules dir.
>
> i use this also... oooohhhhhhh... i think i see what you are saying...
> multiple
> SID maps files are not handled all that well by external processing
> facilities???
>
> > On line 101 of create-sidmap.pl I added the following line to skip
> disabled rules
> >
> >       next if ($single =~ /^\#/);
> >
> > Now I get all the ET Open rules and all the VRT free rules (with
> community rules disabled)
> >
> > Hope someone gets some use out of it.
>
> it may very well come in handy 8)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
>
>  _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101013/0bfb52c1/attachment.html


More information about the Emerging-sigs mailing list