Installing Suricata with Oinkmaster: Difference between revisions

Line 2:

Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for [[Suricata]].

If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:~~<syntaxhighlight lang="shell">~~

If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:

~~apt-get install oinkmaster~~

~~</syntaxhighlight>Edit the configuration file <code>/etc/oinkmaster.conf</code>:<syntaxhighlight lang="shell">~~

~~url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz~~

~~</syntaxhighlight>Create the directory for rules:<syntaxhighlight lang="shell">~~

~~mkdir /etc/suricata/rules~~

~~</syntaxhighlight>Download the rules:<syntaxhighlight lang="shell">~~

~~oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules~~

~~</syntaxhighlight>Now update Suricata’s configuration (default for [[Ubuntu]] is <code>/etc/suricata/suricata.yaml</code> to match the paths:<syntaxhighlight lang="shell" line="1">~~

~~classification-file: /etc/suricata/rules/classification.config~~

~~reference-config-file: /etc/suricata/rules/reference.config~~

~~default-rule-path: /etc/suricata/rules~~

~~</syntaxhighlight>Now, we need to update the list of rules (adding names of files <code>/etc/suricata/rules/*.rules</code>) in the same configuration file:<syntaxhighlight lang="shell" line="1">~~

~~rules-files:~~

~~- botcc.rules~~

~~- ...~~

~~</syntaxhighlight>The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.~~

~~If you want to disable only a signature, find its sid (signature id), and add it to <code>/etc/~~oinkmaster~~.conf</code>:<syntaxhighlight lang="shell">~~

apt-get install oinkmaster

~~disablesid 2011755~~

~~</syntaxhighlight>On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.~~

~~Modify~~ rules<~~syntaxhighlight lang="shell"~~>

Edit the configuration file <code>/etc/oinkmaster.conf</code>:

modifysid 2029054 "alert" | "drop"

~~</syntaxhighlight>~~

url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Create the directory for rules:

mkdir /etc/suricata/rules

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Now update Suricata’s configuration (default for [[Ubuntu]] is <code>/etc/suricata/suricata.yaml</code> to match the paths:

classification-file: /etc/suricata/rules/classification.config

reference-config-file: /etc/suricata/rules/reference.config

default-rule-path: /etc/suricata/rules

Now, we need to update the list of rules (adding names of files <code>/etc/suricata/rules/*.rules</code>) in the same configuration file:

rules-files:

- botcc.rules

- ...

The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.

If you want to disable only a signature, find its sid (signature id), and add it to <code>/etc/oinkmaster.conf</code>:

disablesid 2011755

On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.

Modify rules

modifysid 2029054 "alert" | "drop"

===Updating the rules===

One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command:~~<syntaxhighlight lang="shell">~~

One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command:

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

~~</syntaxhighlight>~~

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

==Source==

@@ Line 2: / Line 2: @@
 Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for [[Suricata]].
-If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:<syntaxhighlight lang="shell">
+If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:
-apt-get install oinkmaster
-</syntaxhighlight>Edit the configuration file <code>/etc/oinkmaster.conf</code>:<syntaxhighlight lang="shell">
-url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
-</syntaxhighlight>Create the directory for rules:<syntaxhighlight lang="shell">
-mkdir /etc/suricata/rules
-</syntaxhighlight>Download the rules:<syntaxhighlight lang="shell">
-oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
-</syntaxhighlight>Now update Suricata’s configuration (default for [[Ubuntu]] is <code>/etc/suricata/suricata.yaml</code> to match the paths:<syntaxhighlight lang="shell" line="1">
-classification-file: /etc/suricata/rules/classification.config
-reference-config-file: /etc/suricata/rules/reference.config
-default-rule-path: /etc/suricata/rules
-</syntaxhighlight>Now, we need to update the list of rules (adding names of files <code>/etc/suricata/rules/*.rules</code>) in the same configuration file:<syntaxhighlight lang="shell" line="1">
-rules-files:
-- botcc.rules
-- ...
-</syntaxhighlight>The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.
-If you want to disable only a signature, find its sid (signature id), and add it to <code>/etc/oinkmaster.conf</code>:<syntaxhighlight lang="shell">
+ apt-get install oinkmaster
-disablesid 2011755
-</syntaxhighlight>On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.
-Modify rules<syntaxhighlight lang="shell">
+Edit the configuration file <code>/etc/oinkmaster.conf</code>:
-modifysid 2029054 "alert" | "drop"
-</syntaxhighlight>
+ url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
+Create the directory for rules:
+ mkdir /etc/suricata/rules
+ oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
+Now update Suricata’s configuration (default for [[Ubuntu]] is <code>/etc/suricata/suricata.yaml</code> to match the paths:
+ classification-file: /etc/suricata/rules/classification.config
+ reference-config-file: /etc/suricata/rules/reference.config
+ default-rule-path: /etc/suricata/rules
+Now, we need to update the list of rules (adding names of files <code>/etc/suricata/rules/*.rules</code>) in the same configuration file:
+ rules-files:
+ - botcc.rules
+ - ...
+The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.
+If you want to disable only a signature, find its sid (signature id), and add it to <code>/etc/oinkmaster.conf</code>:
+ disablesid 2011755
+On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.
+Modify rules
+ modifysid 2029054 "alert" | "drop"
 ===Updating the rules===
-One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command:<syntaxhighlight lang="shell">
+One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command:
-oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
-</syntaxhighlight>
+ oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
 ==Source==