[Honeywall] Snort updates

Earl esammons at hush.com
Thu Jun 28 15:35:45 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nelson,

this makes sense...  I'll have a closer look at it this weekend and
take  a shot at implimenting it so all can avail of the
flexibility...

Thanks for all of the detials!  Feedback like this helps us improve
this stuff!

Earl

On Thu, 28 Jun 2007 08:51:09 -0400 Nelson Williams
<ngamazo at segurmatica.cu> wrote:
>Earl
>
>We face that problem (update snort rules from multiple sites). Our
>internal
>solution was the following:
>
>1- Create Hw variable (HwSnort_Update_URL) used in "hwruleupdate"
>for set
>the Oinkmaster uptade repository.
>
>2- Change the walleye interface (in the "Management Snort Rule"
>section) for
>accept an arbitrary URL repository. The URL is stored in the HW
>variable
>HwSnort_Update_URL.
>
>3- Finally add "create-sidmap.pl /etc/snort/rules/ >
>/etc/snort/sid-msg.map
>" to "hwruleupdate" in the snort update section.
>
>This work in our test with the VRT and Community rules from
>different sites.
>
>Brgds
>Nelson
>
>
>
>
>-----Original Message-----
>From: honeywall-bounces at public.honeynet.org
>[mailto:honeywall-bounces at public.honeynet.org] On Behalf Of Earl
>Sent: Thursday, June 28, 2007 1:38 AM
>To: honeywall at public.honeynet.org
>Subject: Re: [Honeywall] Snort updates
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Nelson,
>
>I was thinking that sid-msg.map would come down fresh with each
>rule update but that limits things to one rule repository.
>Telling
>oinkmaster to skip downloading it then running create-sidmap.pl
>(as
>you suggest) on the entire rule set post update will cover cases
>when people want ot configure things for updates from multiple
>rule
>repos.
>
>There might be other twaeks to add here to make it easier to
>reconfig for other rule repos...  I was kinda rushed... did my
>best
>to get it working for just VRT rules with hopes that it would also
>be reconfigurable for other repos as well.
>
>Great tip.  I'll get to this one soon.  thanks!
>
>Earl
>
>On Wed, 27 Jun 2007 15:27:41 -0400 Nelson Williams
><ngamazo at segurmatica.cu> wrote:
>>Hello
>>
>>The honeywall is updating snort rules using Oinkmaster. But the
>>Oinkmaster
>>by default don't update the sidmap file for snort, so new update
>>rules will
>>not be named (displayed as "unknown signature") in the walleye
>>interface.
>>
>>The script "hwruleupdate" should need to run the following
>command
>>after
>>update the snort rules:
>>
>>
>>
>>create-sidmap.pl /etc/snort/rules/ > /etc/snort/sid-msg.map
>>
>>
>>
>>Brgds.
>>
>>nelson
>-----BEGIN PGP SIGNATURE-----
>Note: This signature can be verified at
>https://www.hushtools.com/verify
>Version: Hush 2.5
>
>wkYEARECAAYFAkaDRPQACgkQk7+e+4lPSm1r/QCfUUg/dh3xFDe4JpECa7a+MEMO7+E
>A
>niuQSnrWFVj8QvnQ/HyJgKANUZFG
>=jnDi
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>Honeywall mailing list
>Honeywall at public.honeynet.org
>https://public.honeynet.org/mailman/listinfo/honeywall
>
>
>
>
>_______________________________________________
>Honeywall mailing list
>Honeywall at public.honeynet.org
>https://public.honeynet.org/mailman/listinfo/honeywall
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wkYEARECAAYFAkaDxT8ACgkQk7+e+4lPSm2o3QCdHwL7xtd6T2ORPDEyX+dVnn9Aa9sA
n01TEiFSONp9D4kNtrH3X6GvarA/
=JixR
-----END PGP SIGNATURE-----




More information about the Honeywall mailing list