[Emerging-Sigs] The New Rulesets are Ready!!

Weir, Jason jason.weir at nhrs.org
Wed Oct 13 20:51:07 EDT 2010


Thanks Joel - never thought of doing it that way - makes perfect sense

Easier for me to keep track of them when they are all in 1 directory - unless that is until ET and VRT choose the same rule file name!

Thanks,
-J

________________________________

From: Joel Esler <jesler at sourcefire.com> 
To: Weir, Jason 
Cc: wkitty42 at windstream.net <wkitty42 at windstream.net>; emerging-sigs at emergingthreats.net <emerging-sigs at emergingthreats.net> 
Sent: Wed Oct 13 20:38:41 2010
Subject: Re: [Emerging-Sigs] The New Rulesets are Ready!! 


Different variables.

RULE_PATH=/etc/snort/rules
RULE_PATH_ET=/etc/snort/rules/et

include $RULE_PATH web-iis.rules
include $RULE_PATH_ET web-iis.rules (or whatever)

J


On Wed, Oct 13, 2010 at 8:23 PM, Weir, Jason <jason.weir at nhrs.org> wrote:


	I looked quickly but could not find how to make snort look in multiple rules directories - point me in the right direction kemosabe

	


	-J
	
	----- Original Message -----
	From: emerging-sigs-bounces at emergingthreats.net <emerging-sigs-bounces at emergingthreats.net>
	To: emerging-sigs at emergingthreats.net <emerging-sigs at emergingthreats.net>
	
	Sent: Wed Oct 13 20:09:36 2010
	Subject: Re: [Emerging-Sigs] The New Rulesets are Ready!!
	
	
	On 10/13/2010 13:49, Weir, Jason wrote:
	> Looks like I have a solution - Thanks Kevin for the inspiration....
	>
	> First I changed my script that runs oinkmaster to the following
	>
	>       #!/bin/sh
	>
	>       /usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf -o /etc/snort/rules/vrt
	>       /usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf -o /etc/snort/rules/et
	>
	>       cp /etc/snort/rules/vrt/*.* /etc/snort/rules
	>       cp /etc/snort/rules/et/*.* /etc/snort/rules
	>
	> in the vrt.conf file I disabled all the overlaping rules - included in the attached txt file
	
	holy smokes, batman! that's almost what i was looking at ;)
	
	execpt, why copy the files files to a central directory?? snort can easily look
	in multiple directories... that's an extra unneeded step in my book :P
	
	> I also use Andreas Östling's create-sidmap.pl which also complained about the duplicate SIDs in the rules dir.
	
	i use this also... oooohhhhhhh... i think i see what you are saying... multiple
	SID maps files are not handled all that well by external processing facilities???
	
	> On line 101 of create-sidmap.pl I added the following line to skip disabled rules
	>
	>       next if ($single =~ /^\#/);
	>
	> Now I get all the ET Open rules and all the VRT free rules (with community rules disabled)
	>
	> Hope someone gets some use out of it.
	
	it may very well come in handy 8)
	
	_______________________________________________
	Emerging-sigs mailing list
	Emerging-sigs at emergingthreats.net
	http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
	
	Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
	http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
	
	
	
	_____________________________________________________________________________________________
	
	Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
	

	

	_____________________________________________________________________________________________
	
	Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


	_______________________________________________
	Emerging-sigs mailing list
	Emerging-sigs at emergingthreats.net
	http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
	
	Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
	http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
	


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101013/900487a0/attachment.html


More information about the Emerging-sigs mailing list