|
|
Sponsored Content
Top Forums
UNIX for Advanced & Expert Users
snort installation on freebsd issues
Post 34116 by Neo on Tuesday 4th of February 2003 03:16:25 PM
|
|
10 More Discussions You Might Find Interesting
1. UNIX Desktop Questions & Answers
question:
i just installed FreeBSD 4.7 on my laptop, when i log in as root, i can startx no problem at all but when i try to start it as a user, i can't. otiginally it told me i needed to be a member of the group 'wheel' to do startx, no problem, added myself in /etc/group, but for some reason i... (1 Reply)
Discussion started by: Calum
1 Replies
2. UNIX for Dummies Questions & Answers
I have been using Linux for 3 years now, and I think I am getting enough knowledge (and confidence) to try some more 'traditional' unix variants. I installed FreeBSD 5.0-CURRENT. I have a couple of questions for the time being:
1) Frequently when I need to compile software packages they can't... (16 Replies)
Discussion started by: cbkihong
16 Replies
3. Linux
why is my new freeBSD hanging at setting up hostname each time I plug in the network cable i use host name like X.ng I intend to configure it as a gateway (2 Replies)
Discussion started by: AkinOkin
2 Replies
4. BSD
All,
I am a bit of a BSD newbie and haven't really played with it for years, but I have had a recent situation whereby someone attempted to load a custom kernel module and ended up breaking my BSD server.
I managed to fix it by doing the following:
Booting into loader mode:
unload
set... (3 Replies)
Discussion started by: drbabbers
3 Replies
5. Web Development
Server: FreeBSD 7.2-RELEASE
MYSQL Version: MYSQL 5.1.36
PHP Version: 5.2.10 (apache2handler)
IP.Board Version: v3.0.2
Safe Mode: OFF
For the most part previously IP.Board, forum software, has run fine without any issues. Regular web pages and .php pages seem to load fine without any issues.... (2 Replies)
Discussion started by: Dark Severance
2 Replies
6. UNIX for Dummies Questions & Answers
I wrote a script to batch-create directories with .htaccess and .htpasswd files.
I am using the following line to create the .htpasswd file:
htpasswd -cb .htpasswd $USER $PASS
However, I keep getting this message in return:
Usage: htpasswd passwordfile username
The -c flag creates a new... (1 Reply)
Discussion started by: Spetnik
1 Replies
7. BSD
Hi!
I have a major issue with FreeBSD 7.1 i386.
We did a change in our Unix env where we exchanged home storage from a NetAPP running udp to a NetAPP running tcp.
Now I cant mount homedirs since NFS/AMD seem to fallback to udp :(
Trying to force it with amd options nfs_proto=tcp and so on.
... (0 Replies)
Discussion started by: Esaia
0 Replies
8. AIX
(1) Hi, Am working on FreeBSD 7.4/i386 and installed Opera 11.01 through ports collection manually... But when I run first time am getting "opera: cannot connect X server. Error: Unknown error: 0" What is this error all about???? Please help me to sort out this issue!!!
(2) Hi, currently am... (12 Replies)
Discussion started by: Priya Amaresh
12 Replies
9. Homework & Coursework Questions
Use and complete the template provided. The entire template must be completed. If you don't, your post may be deleted!
1. The problem statement, all variables and given/known data:
My system is Redhat 5.6. I want to install snort in my system which requires following dependencies.
1. Libpcap... (8 Replies)
Discussion started by: Ankur Goyal
8 Replies
10. BSD
I just got FreeBSD up and running with an XFCE desktop on an old Gateway laptop. It works great, except the wireless setup is scaring me. I can connect to my home WiFi fine most of the time, but I'm concerned about other WiFi that I will need to connect to away from home.
I understand that I can... (1 Reply)
Discussion started by: BrentBANKS
1 Replies
LEARN ABOUT DEBIAN
oinkmaster
OINKMASTER(1) General Commands Manual OINKMASTER(1) NAME
oinkmaster - update Snort signatures SYNOPSIS
oinkmaster -o outdir [options] DESCRIPTION
Oinkmaster is simple tool that helps you keep your Snort rules current with little or no user interaction. It downloads a tarball contain- ing the new rules and can then enable, disable or even make arbitrary modifications to specified rules before updating your local rules files. It will also tell you the exact changes from your previous rules. OPTIONS
The only required argument to Oinkmaster is -o outdir where outdir is the directory to put the new rules files in. This should be where you keep your rules locally. The downloaded files will be compared to the ones in here before possibly overwriting them. Optional arguments: -b dir If the rules have been modified, a tarball of your old rules will be put in dir before overwriting them with the new files. No backup is done if no file has changed or if Oinkmaster is running in careful mode. -c Run in careful mode. This means that Oinkmaster will only check for updates and print them, but not update anything. -C cfg Use this configuration file instead of the default. If not specified, oinkmaster.conf will be looked for in /etc/ and then /usr/local/etc/. You can specify multiple -C cfg to load multiple configuration files. They will be loaded in order of appearance on the command line. If an option is redefined, it overrides the previous value (except for the "url" option, as you are allowed to specify multiple URLs). -e Enable rules that are disabled by default in the downloaded rules archive by removing all the leading "#" from them. If there are any disabled rules in the archive, they will stay that way unless you use this option. Remember that they are disabled for a reason (they may not even work), so use this option with care. -h Show valid command line arguments with short descriptions -i Enable interactive mode. You will be asked to approve the changes (if any) before updating anything. -m Minimize/simplify the diff when printing result for modified rules by removing common leading and trailing parts of the old and new rule so it's easier to see the actual change. A few characters to the left and to the right of the change are also printed so you get some context. The rev keyword is ignored when the comparison and removal of common parts is performed because it would often make the whole idea fail. (If you feel it's important to be able to verify that the rev number has increased when a rule has been updated, do not use the minimized diff mode.) Normally when a rule has changed the entire old and new versions are printed, but the actual change between them can be hard to see if the rules are long, complex and many. The normal output could look like this: Old: alert tcp any any -> any 22 (msg: "foo"; flags: A+; rev:1;) New: alert tcp any any -> any 123 (msg: "foo"; flags: A+; rev:2;) When using -m it would instead look something like: Old: ...any any -> any 22 (msg: "foo";... New: ...any any -> any 123 (msg: "foo";... -q Run in quiet mode. Nothing is printed unless there are changes in the rules or if there are errors or warnings. -Q Run in super-quiet mode. This is the same as -q but even more quiet when printing the results (the "None." stuff is not printed). It will also suppress some other warning messages such as those for duplicate SIDs and non-matching modifysid expressions. -r Check for rules files that exist in the output directory but not in the downloaded rules archive, i.e. files that may have been removed from the distribution archive. -s Leave out details when printing results (aka bmc mode). This means that the entire added / removed / modified rules will not be printed, just their SID and msg string, plus the filename. Non-rule changes are printed as usual. This output mode could be useful for example if you send the output by email to people who don't really care about the details of the rules, just the fact that they have been updated. Example output when running with -s [+++] Added rules: [+++] 1607 - WEB-CGI HyperSeek hsx.cgi access (web-cgi.rules) 1775 - MYSQL root login attempt (mysql.rules) [///] Modified active rules: [///] 302 - EXPLOIT Redhat 7.0 lprd overflow (exploit.rules) 304 - EXPLOIT SCO calserver overflow (exploit.rules) 305 - EXPLOIT delegate proxy overflow (exploit.rules) 306 - EXPLOIT VQServer admin (exploit.rules) -S file Used in conjuction with with -U to specify which file(s) in the downloaded archive(s) to search for new variables. When not speci- fied, snort.conf is checked. You may specify multiple -S file to search for new variables in multiple files. -T Check the configuration file(s) for fatal errors and then exit. Possible warning messages are printed as well. -u url Download the rules archive from url instead of the location specified in the configuration file. It must start with file://, ftp://, http://, https:// or scp:// and end with ".tar.gz" or ".tgz". The file must be a gzipped tarball containing a directory named "rules", holding all the rules files. It must not contain any symlinks. You can also point to a local directory with dir://<directory>. For the official Snort rules, the URL to use depends on the version of Snort you run and it might also require registration. Visit the rules download section at the Snort web site to find the right URL and more information. Remember to update the URL when upgrading to a new major version of Snort. You may specify multiple -u url to grab multiple rules archives from different locations. All rules files in the archives will be put in the same output directory so if the same filename exists in multiple archives, Oinkmaster will print an error message and exit. That's why it's usually recommended to instead run Oinkmaster once for each URL and use separate output directories. If -u url is specified, it overrides any URLs specified in the configuration file(s). Note that if multiple URLs are specified and one of them is broken, Oinkmaster will exit immediately without further processing. This can be good or bad, depending on the situation. -U file Variables (i.e. "var foo bar" lines) that exist in downloaded snort.conf but not in file will be added to file right after any other variables it may contain. Modified existing variables are not merged, only new ones. file is normally your production copy of snort.conf (which should not be a file that is updated by Oinkmaster the normal way). This feature is to prevent Snort from break- ing in case there are new variables added in the downloaded rules, as Snort can not start if the rules use variables that aren't defined anywhere. By default when using -U , the file snort.conf in the downloaded archive is search for new variables but you can override this with the -S file argument. If you download from multiple URLs, Oinkmaster will look for a snort.conf in each down- loaded rules archive. -v Run in verbose/debug mode. Should probably only be used in case you need to debug your settings, like verifying complex modifysid statements. It will also tell you if you try to use "disablesid" on non-existent SIDs. Warnings about using enablesid/localsid/mod- ifysid on non-existent SIDs are always printed unless running in quiet mode, as those are usually more important (using "disablesid" on a non-existent rule is a NOOP anyway). -V Show version and exit. EXAMPLES
Download rules archive from default location specified in oinkmaster.conf and put the new rules in /etc/rules/: oinkmaster -o /etc/rules Grab rules archive from local filesystem and do not print anything unless it contains updated rules: oinkmaster -u file:///tmp/rules.tar.gz -o /etc/rules -q Download rules archive from default location, make backup of old rules if there were updates, and send output by e-mail. (Note however that if you plan on distributing files with Oinkmaster that could be considered sensitive, such as Snort configuration files containing database passwords, you should of course not send the output by e-mail without first encrypting the content.): oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 | mail -s "subject" user@example.com Grab three different rules archives and merge variables that exist in downloaded snort.conf and foo.conf but not in local /etc/snort/snort.conf: oinkmaster -u file:///tmp/foo.rules.tar.gz -u http://somewhere/rules.tar.gz -u https://blah/rules.tar.gz -o /etc/rules -S snort.conf -S foo.conf -U /etc/snort/snort.conf Load settings from two different files, use scp to download rules archive from a remote host where you have put the rules archive, merge variables from downloaded snort.conf, and send results by e-mail only if anything changed or if there were any error messages. It assumes that the "mktemp" command is available on the system: TMP=`mktemp /tmp/oinkmaster.XXXXXX` && (oinkmaster -C /etc/oinkmaster-global.conf -C /etc/oinkmaster-sensor.conf -o /etc/rules -U /etc/snort.conf -u scp://user@example.com:/home/user/rules.tar.gz > $TMP 2>&1; if [ -s $TMP ]; then mail -s "subject" you@example.com < $TMP; fi; rm $TMP) FILES
/etc/oinkmaster.conf /usr/local/etc/oinkmaster.conf BUGS
If you find a bug, report it by e-mail to the author. Always include as much information as possible. HISTORY
The initial version was released in early 2001 under the name arachnids_upd. It worked only with the ArachNIDS Snort rules, but as times changed, it was rewritten to work with the official Snort rules and the new name became Oinkmaster. AUTHOR
Andreas Ostling <andreas_ostling@bredband.net> SEE ALSO
The online documentation at http://oinkmaster.sf.net/ contains more information. January 14, 2004 OINKMASTER(1)