Emerging Threats .net
A network security analysis and monitoring toolkit Linux distribution.
Brought to you by:
pblankenbaker,
rwhalb
Hi Paul;
Is there a way to manually replace the snort rules with the emergingthreat.net snort rules……The reason I'm asking is this;
1. I know there is a link to the emerging threats.net and that they have made changes to the url which i have done…and was able to download but got errors installing…..but also they are having problems with DDoS attacks on their website…so double whammy.. I have been able to manually download the ET Rules tar.gz file and placed it in the tmp directory and pointed to this files to "download" but I get an error saying not able to uncompress this file….
2. I believe snort is giving up on 2.6.8.1 and so will not be supporting the rules for much longer…..(btw is there any works on upgrading NST to have 2.9.0.1? within this distro…or is that a large undertaking?)
So if I could just manually make that change I would much appreciate it.
Thanks Paul….and great work with the new NST 2.13…..love it!!!!!
Patrick
Hello Patrick:
Item 1:
Ron just updated the snort page in the NST WUI to work with the emerging threats .tar.gz file format. It supports both the free and pro version based rule sets. I know he had to make some changes as the contents of the .tar.gz file was different from some of the other rule sets.
Free URL: http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz
Pro URL: http://rules.emergingthreatspro.com/YOUR_CODE/snort-2.8.6/etpro.rules.tar.gz
I'm assuming that you are talking about one of these two files and that you had to download it yourself manually due to the DDoS attacks directed at emergingthreats.net web site. So, my suggestion would be:
1. Make sure your system is up to date (yum update)
2. Open the snort management page from the NST WUI.
3. Select either the "Pro" or "Open" emerging threats input field and try changing the URL to a location somewhere on your file system (use the "file://" protocol - for example, if the file is "/tmp/rules.tar.gz", set the URL to: "file:///tmp/rules.tar.gz").
I'm not 100% sure a file: protocol will work, but it might.
Item 2.
Yes, we have noticed that snort 2.9.0.1 is out, we just haven't gotten around to investigating what it will take to move to the new release yet.
I'm glad to hear that the new release of the NST is working well for you.
Paul
FYI:
Ron has updated the snort package to 2.9.0.1 and its now available via "yum update" for NST v2.13.0 systems. While this snort package is compiled to support setting up a IPS, the NST WUI does not guide you through the process (you'll need to go through the snort documentation to determine what is required for you environment).
Here is his change log:
Changelog by Ronald W. Henderson (2010-11-17):
- Updated to Snort v2.9.0.1
- Now includes IPS using DAQ type and mode.