Menu
▾
▴
Re: [Snort-inline-users] oinkmaster and snort-line
|
From: Bill W. <bw...@op...> - 2005-06-07 13:40:17
|
Thanks! That worked. Will Metcalf wrote: >In your oinkmaster.conf > >modifysid * "^alert" | "drop" > >then use disablesid to comment out your rules. > >disablesid 1201,485,620,2087,663 > >Regards, > >Will > >On 6/6/05, Bill Warren <bw...@op...> wrote: > > >>FI am trying to use Oinkmaster to keep my inline box up with the latest >>rules. >> >>So, I created a file and I put in it: >> >> #! /bin/sh >> >> oinkmaster -o /etc/snort_inline/rules -b >>/etc/snort_inline/rules/backup/ \-u >>http://www.bleedingsnort.com/bleeding.rules.tar.gz >> >> oinkmaster -o /etc/snort_inline/rules -b /etc/snort_inline/rules/backup/ >> >> cd /etc/snort_inline/rules >> ./convert.sh >> >> >>The convert.sh is something I got from www.honeynet.org to make all the >>rules turn into drop rules. Here is the main section: >> >>for x in `ls *.rules` >>do >> echo "Converting rule $p in $x to use the DROP command for >>bidirectional Honeynets" >> cat $x | sed -e "s/EXTERNAL_NET/HONEYNET/g" -e >>"s/HOME_NET/EXTERNAL_NET/g" \ >> -e "s/SMTP_SERVERS/EXTERNAL_NET/g" -e >>"s/HTTP_SERVERS/EXTERNAL_NET/g" \ >> -e "s/SQL_SERVERS/EXTERNAL_NET/g" -e >>"s/DNS_SERVERS/EXTERNAL_NET/g" \ >> -e "s/TELNET_SERVERS/EXTERNAL_NET/g" -e "s/alert /drop /g" \ >> -e "s/ -/ </g" > $TMP >> cat $TMP > $x >>done >> >> >>When I run oinkaster again it sees all the rules as wrong and all the >>rules that I have commented out are now uncommented. Does anybody have >>a better way of updating the rules? I am running in bridged mode. >> >>Thanks, >>Bill >> >> >> >> >> > > >------------------------------------------------------- >This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput >a projector? How fast can you ride your desk chair down the office luge track? >If you want to score the big prize, get to know the little guy. >Play to win an NEC 61" plasma display: http://www.necitguy.com/?r >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
