[Honeywall] Snort updates

Nelson Williams ngamazo at segurmatica.cu
Thu Jun 28 08:51:09 EDT 2007


Earl

We face that problem (update snort rules from multiple sites). Our internal
solution was the following:

1- Create Hw variable (HwSnort_Update_URL) used in "hwruleupdate" for set
the Oinkmaster uptade repository.

2- Change the walleye interface (in the "Management Snort Rule" section) for
accept an arbitrary URL repository. The URL is stored in the HW variable
HwSnort_Update_URL.

3- Finally add "create-sidmap.pl /etc/snort/rules/ > /etc/snort/sid-msg.map
" to "hwruleupdate" in the snort update section.

This work in our test with the VRT and Community rules from different sites.

Brgds
Nelson




-----Original Message-----
From: honeywall-bounces at public.honeynet.org
[mailto:honeywall-bounces at public.honeynet.org] On Behalf Of Earl
Sent: Thursday, June 28, 2007 1:38 AM
To: honeywall at public.honeynet.org
Subject: Re: [Honeywall] Snort updates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nelson,

I was thinking that sid-msg.map would come down fresh with each
rule update but that limits things to one rule repository.  Telling
oinkmaster to skip downloading it then running create-sidmap.pl (as
you suggest) on the entire rule set post update will cover cases
when people want ot configure things for updates from multiple rule
repos.

There might be other twaeks to add here to make it easier to
reconfig for other rule repos...  I was kinda rushed... did my best
to get it working for just VRT rules with hopes that it would also
be reconfigurable for other repos as well.

Great tip.  I'll get to this one soon.  thanks!

Earl

On Wed, 27 Jun 2007 15:27:41 -0400 Nelson Williams
<ngamazo at segurmatica.cu> wrote:
>Hello
>
>The honeywall is updating snort rules using Oinkmaster. But the
>Oinkmaster
>by default don't update the sidmap file for snort, so new update
>rules will
>not be named (displayed as "unknown signature") in the walleye
>interface.
>
>The script "hwruleupdate" should need to run the following command
>after
>update the snort rules:
>
>
>
>create-sidmap.pl /etc/snort/rules/ > /etc/snort/sid-msg.map
>
>
>
>Brgds.
>
>nelson
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wkYEARECAAYFAkaDRPQACgkQk7+e+4lPSm1r/QCfUUg/dh3xFDe4JpECa7a+MEMO7+EA
niuQSnrWFVj8QvnQ/HyJgKANUZFG
=jnDi
-----END PGP SIGNATURE-----


_______________________________________________
Honeywall mailing list
Honeywall at public.honeynet.org
https://public.honeynet.org/mailman/listinfo/honeywall






More information about the Honeywall mailing list