|
Oinkmaster Features (some of them)
- Basically it's a simple Perl (5.6.1+) script to help you keep your Snort signatures current
with little or no user interaction. It's extremely easy to install and operate, and also easy to
integrate with other scripts and applications if needed.
- It runs on most Unix-like systems (Linux, *BSD, Solaris, Mac OS X, etc)
and also on Windows with either Cygwin or ActivePerl. As of Oinkmaster 1.0,
you don't need any external binaries if you have the right Perl modules (which are
already included in ActivePerl).
- Can be used to update the official Snort (VRT licensed) rules, the community rules
and third party rules such as the Bleeding Snort rules. You can even download multiple
rules archives at the same time.
- Oinkmaster's contrib directory contains several useful scripts related to
rules management, like adding SIDs to rules that don't have any, creating SID maps (sid-msg.map), and so
on.
- Oinkmaster and all the contrib scripts are released under the BSD license.
- Can disable and enable specified rules and also make arbitrary modifications
(by using regular expressions, optionally by using templates) to them after each update.
The most common usage is to disable rules that are not suitable for your
environment, so that you don't have to disable them manually each time you
download the new rules. The modification feature can for example be used to
switch $HOME_NET/$EXTERNAL_NET in specific (or all) rules, or replace "alert" with "drop"
if you're running Snort_inline, and so on. See oinkmaster.conf for more
examples.
-
You can mark certain rules as being "locally modified" to prevent them from being
updated.
- It will print what had changed since the last update, so you'll
have total control of what's going on. The result can be printed in a few different formats.
- Centralized rules management - It can easily be used to distribute rules (both the official and
your homemade ones)
between multiple sensors with ability to use a global configuration file and
also sensor-specific settings on each sensor. The rules archive can be received by using
http, https, ftp, scp or copied from local filesystem.
- It's not trying to be too smart and understand every part
of the signatures and should therefore not be confused when new keywords
are introduced etc. (Should a rule line fail to parse, it will
simply be regarded as a non-rule line instead, and those are actually updated too anyway.)
- I've at least tried to document everything.
- Includes the beginning of a GUI written in Perl/Tk.
It should be fully working but probably needs more testing.
- Can merge new variables from snort.conf in the distribution tarball
into your local copy.
- Handles multi-line rules (and so does the contrib scripts).
- Can backup your old rules before overwriting them with the new ones.
- Can skip certain files and also check for files that have been removed from the archive.
- You can run in interactive mode. You will be asked to approve the changes
(if any) before updating your local rules.
- If there are duplicate SIDs in the downloaded rules archive, you will be warned and the
duplicated rules are removed (in a semi-intelligent way) to avoid problems.
- Oinkmaster can read any number of configuration files,
either specified on the command line
or by using 'include' statements, so you can use one global config and one
sensor-specific config for finetuning etc.
- Can be used in conjunction with other programs using Snort rules, like Prelude-NIDS.
Missing features? Let me know, or send me patches.
|
