Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
OINKMASTER(1)		    General Commands Manual		 OINKMASTER(1)

NAME
       oinkmaster - update Snort signatures

SYNOPSIS
       oinkmaster.pl -o	outdir [options]

DESCRIPTION
       Oinkmaster  is simple tool that helps you keep your Snort rules current
       with little or no user interaction. It downloads	a  tarball  containing
       the new rules and can then enable, disable or even make arbitrary modi-
       fications to specified rules before updating your  local	 rules	files.
       It will also tell you the exact changes from your previous rules.

OPTIONS
       The  only  required argument to Oinkmaster is -o	outdir where outdir is
       the directory to	put the	new rules files	in. This should	be  where  you
       keep  your  rules locally. The downloaded files will be compared	to the
       ones in here before possibly overwriting	them.

       Optional	arguments:

       -b dir If the rules have	been modified, a tarball  of  your  old	 rules
	      will  be	put in dir before overwriting them with	the new	files.
	      No backup	is done	if no file has changed	or  if	Oinkmaster  is
	      running in careful mode.

       -c     Run  in careful mode. This means that Oinkmaster will only check
	      for updates and print them, but not update anything.

       -C cfg Use this configuration file instead  of  the  default.   If  not
	      specified,  oinkmaster.conf will be looked for in	/etc/ and then
	      /usr/local/etc/.	You can	specify	multiple -C cfg	to load	multi-
	      ple  configuration  files.   They	will be	loaded in order	of ap-
	      pearance on the command line. If	an  option  is	redefined,  it
	      overrides	 the  previous	value (except for the "url" option, as
	      you are allowed to specify multiple URLs).

       -e     Enable rules that	are disabled  by  default  in  the  downloaded
	      rules  archive  by  removing  all	 the leading "#" from them. If
	      there are	any disabled rules in the archive, they	will stay that
	      way unless you use this option.  Remember	that they are disabled
	      for a reason (they may not even work), so	use this  option  with
	      care.

       -h     Show valid command line arguments	with short descriptions

       -i     Enable  interactive  mode.  You  will  be	 asked	to approve the
	      changes (if any) before updating anything.

       -m     Minimize/simplify	the diff when  printing	 result	 for  modified
	      rules  by	 removing common leading and trailing parts of the old
	      and new rule so it's easier to see  the  actual  change.	A  few
	      characters  to  the left and to the right	of the change are also
	      printed so you get some context.	The  rev  keyword  is  ignored
	      when the comparison and removal of common	parts is performed be-
	      cause it would often make	the whole idea	fail.	(If  you  feel
	      it's  important to be able to verify that	the rev	number has in-
	      creased when a rule has been updated, do not use	the  minimized
	      diff mode.)

	      Normally when a rule has changed the entire old and new versions
	      are printed, but the actual change between them can be  hard  to
	      see if the rules are long, complex and many.

	      The normal output	could look like	this:

	      Old: alert tcp any any ->	any 22 (msg: "foo"; flags: A+; rev:1;)
	      New: alert tcp any any ->	any 123	(msg: "foo"; flags: A+;	rev:2;)

	      When using -m it would instead look something like:

	      Old: ...any any -> any 22	(msg: "foo";...
	      New: ...any any -> any 123 (msg: "foo";...

       -q     Run  in  quiet mode. Nothing is printed unless there are changes
	      in the rules or if there are errors or warnings.

       -Q     Run in super-quiet mode. This is the same	as -q  but  even  more
	      quiet  when  printing  the  results  (the	 "None."  stuff	is not
	      printed).	It will	also suppress some other warning messages such
	      as  those	 for duplicate SIDs and	non-matching modifysid expres-
	      sions.

       -r     Check for	rules files that exist in the output directory but not
	      in  the  downloaded rules	archive, i.e. files that may have been
	      removed from the distribution archive.

       -s     Leave out	details	when printing results (aka  bmc	 mode).	  This
	      means  that the entire added / removed / modified	rules will not
	      be printed, just their SID and msg string,  plus	the  filename.
	      Non-rule changes are printed as usual. This output mode could be
	      useful for example if you	send the output	by email to people who
	      don't  really care about the details of the rules, just the fact
	      that they	have been updated. Example output when running with -s

	      [+++]	     Added rules:	   [+++]

		  1607 - WEB-CGI HyperSeek hsx.cgi access (web-cgi.rules)
		  1775 - MYSQL root login attempt (mysql.rules)

	      [///]	Modified active	rules:	   [///]

		   302 - EXPLOIT Redhat	7.0 lprd overflow (exploit.rules)
		   304 - EXPLOIT SCO calserver overflow	(exploit.rules)
		   305 - EXPLOIT delegate proxy	overflow (exploit.rules)
		   306 - EXPLOIT VQServer admin	(exploit.rules)

       -S file
	      Used in conjuction with with -U to specify which file(s) in  the
	      downloaded  archive(s)  to  search  for  new variables. When not
	      specified, snort.conf is checked.	 You may specify  multiple  -S
	      file to search for new variables in multiple files.

       -T     Check  the configuration file(s) for fatal errors	and then exit.
	      Possible warning messages	are printed as well.

       -u url Download the rules archive from  url  instead  of	 the  location
	      specified	 in  the  configuration	 file.	 It  must  start  with
	      file://, ftp://,	http://,  https://  or	scp://	and  end  with
	      ".tar.gz"	or ".tgz". The file must be a gzipped tarball contain-
	      ing a directory named "rules", holding all the rules  files.  It
	      must not contain any symlinks. You can also point	to a local di-
	      rectory with dir://<directory>. For the  official	 Snort	rules,
	      the  URL	to  use	depends	on the version of Snort	you run	and it
	      might also require registration.	Visit the rules	download  sec-
	      tion at the Snort	web site to find the right URL and more	infor-
	      mation. Remember to update the URL when upgrading	to a new major
	      version of Snort.

	      You  may specify multiple	-u url to grab multiple	rules archives
	      from different locations.	All rules files	in the	archives  will
	      be  put in the same output directory so if the same filename ex-
	      ists in multiple archives, Oinkmaster will print an  error  mes-
	      sage  and	 exit.	That's why it's	usually	recommended to instead
	      run Oinkmaster once for each URL and use separate	output	direc-
	      tories.  If -u url is specified, it overrides any	URLs specified
	      in the configuration file(s). Note that  if  multiple  URLs  are
	      specified	 and one of them is broken, Oinkmaster will exit imme-
	      diately without further processing. This can be good or bad, de-
	      pending on the situation.

       -U file
	      Variables	 (i.e.	"var  foo bar" lines) that exist in downloaded
	      snort.conf but not in file will be added to file right after any
	      other variables it may contain.  Modified	existing variables are
	      not merged, only new ones.  file	is  normally  your  production
	      copy  of	snort.conf (which should not be	a file that is updated
	      by Oinkmaster the	normal way).  This feature is to prevent Snort
	      from breaking in case there are new variables added in the down-
	      loaded rules, as Snort can not start if the rules	use  variables
	      that  aren't  defined  anywhere.	By default when	using -U , the
	      file snort.conf in the downloaded	 archive  is  search  for  new
	      variables	 but  you can override this with the -S	file argument.
	      If you download from multiple URLs, Oinkmaster will look	for  a
	      snort.conf in each downloaded rules archive.

       -v     Run  in verbose/debug mode. Should probably only be used in case
	      you need to debug	your settings, like  verifying	complex	 modi-
	      fysid statements.	 It will also tell you if you try to use "dis-
	      ablesid"	on  non-existent  SIDs.	 Warnings  about   using   en-
	      ablesid/localsid/modifysid   on  non-existent  SIDs  are	always
	      printed unless running in	quiet mode, as those are usually  more
	      important	 (using	 "disablesid" on a non-existent	rule is	a NOOP
	      anyway).

       -V     Show version and exit.

EXAMPLES
       Download	rules archive from  default  location  specified  in  oinkmas-
       ter.conf	and put	the new	rules in /etc/rules/:

	   oinkmaster.pl -o /etc/rules

       Grab  rules archive from	local filesystem and do	not print anything un-
       less it contains	updated	rules:

	   oinkmaster.pl -u file:///tmp/rules.tar.gz -o	/etc/rules -q

       Download	rules archive from default location, make backup of old	 rules
       if there	were updates, and send output by e-mail. (Note however that if
       you plan	on distributing	files with Oinkmaster that could be considered
       sensitive,  such	as Snort configuration files containing	database pass-
       words, you should of course not send the	output by e-mail without first
       encrypting the content.):

	   oinkmaster.pl -o /etc/snort/rules -b	/etc/snort/backup 2>&1 | \
	   mail	-s "subject" user@example.com

       Grab  three  different rules archives and merge variables that exist in
       downloaded   snort.conf	  and	 foo.conf    but    not	   in	 local
       /etc/snort/snort.conf:

	   oinkmaster.pl -u file:///tmp/foo.rules.tar.gz \
	   -u http://somewhere/rules.tar.gz -u https://blah/rules.tar.gz \
	   -o /etc/rules -S snort.conf -S foo.conf -U /etc/snort/snort.conf

       Load  settings  from two	different files, use scp to download rules ar-
       chive from a remote host	where you have put the	rules  archive,	 merge
       variables  from	downloaded snort.conf, and send	results	by e-mail only
       if anything changed or if there were any	 error	messages.  It  assumes
       that the	"mktemp" command is available on the system:

	   TMP=`mktemp /tmp/oinkmaster.XXXXXX` && \
	   (oinkmaster.pl -C /etc/oinkmaster-global.conf \
	   -C /etc/oinkmaster-sensor.conf -o /etc/rules	\
	   -U /etc/snort.conf \
	   -u scp://user@example.com:/home/user/rules.tar.gz \
	   > $TMP 2>&1;	if [ -s	$TMP ];	then mail -s "subject" \
	   you@example.com < $TMP; fi; rm $TMP)

FILES
       /etc/oinkmaster.conf
       /usr/local/etc/oinkmaster.conf

BUGS
       If you find a bug, report it by e-mail to the author. Always include as
       much information	as possible.

HISTORY
       The initial version was released	in early 2001 under  the  name	arach-
       nids_upd.  It  worked only with the ArachNIDS Snort rules, but as times
       changed,	it was rewritten to work with the official Snort rules and the
       new name	became Oinkmaster.

AUTHOR
       Andreas Ostling <andreaso@it.su.se>

SEE ALSO
       The online documentation	at http://oinkmaster.sf.net/ contains more in-
       formation.

			       January 14, 2004			 OINKMASTER(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | FILES | BUGS | HISTORY | AUTHOR | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=oinkmaster&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help