[-] oinkmaster [-]
snort_sm
 
  News
  About
  Features
  Download
  CVS
  Documentation
  FAQ
  GUI
  Feedback
  Mailing list
  SF project page

 
# $Id: INSTALL,v 1.53 2006/01/28 21:27:03 andreas_o Exp $ #

Quick installation instructions for Oinkmaster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Put oinkmaster.pl in some suitable directory, for example 
   /usr/local/bin/. Put oinkmaster.conf in /etc/ or /usr/local/etc/
   (this is where Oinkmaster will search for it by default).
   You may also want to copy the man page (oinkmaster.1) to 
   something like /usr/local/man/man1/.


2) Edit oinkmaster.conf that you copied in step 1). The defaults should 
   be fine for most users, although one thing you must change is
   "url = ", which specifies the location of the rules archive.
   The URL to use depends on which version of Snort you run and also what 
   type of rules you want to use. Some may require registration. See Q1 
   in the FAQ for more information.


3) Decide in which directory you want to put the new rules. If you 
   have Snort up and running already, you should use the directory where 
   you keep the rules files. It's a very good idea to create a backup of 
   it first. You must run Oinkmaster as a user that has read/write access 
   to your rules directory and all rules files in it. It should however 
   *NOT* be a privileged user such as root! 
   Never run Oinkmaster as root.


Done! 
Assuming your rules directory is /etc/snort/rules/, you can now update 
those rules by running:

  oinkmaster.pl -o /etc/snort/rules



Extra installation notes
~~~~~~~~~~~~~~~~~~~~~~~~

If you're new to Oinkmaster, it's recommended that you read the entire 
README and FAQ. You may also run oinkmaster.pl -h to list all available 
command line options. They are described in more detail in the Oinkmaster 
manual page. See the FAQ if you need to setup proxy configuration.

In oinkmaster.conf you will tell Oinkmaster things like which rules or 
files you want to disable/enable/modify/ignore. If you already have 
several rules commented out (or removed) in your current rules files, you
must add "disablesid" statements for those SIDs to oinkmaster.conf so 
they don't get re-enabled after updating the rules (there is a help 
script for that, see makesidex.pl in the contrib directory). Remember 
that after switching to Oinkmaster for updating the rules, all permanent 
modifications to the rules must be done by editing oinkmaster.conf, not 
by editing the rules files directly.

If you need more help, see the documentation at
http://oinkmaster.sourceforge.net/ or ask on the Oinkmaster mailing list.

Snort and the Snort logo are trademarks or registered trademarks of Sourcefire, Inc.