Oinkmaster 2.0 review
DownloadOinkmaster is a script that will help you update and manage your Snort rules
|
|
Oinkmaster is a script that will help you update and manage your Snort rules. It is released under the BSD license and will work on most platforms that can run Perl scripts, e.g. Linux, *BSD, Mac OS X, Solaris, Windows, etc.
Oinkmaster can be used to update and manage the VRT licensed rules, the community rules, the bleeding-snort rules and other third party rules, including your own local rules.
Here are some key features of "Oinkmaster":
Basically it's a simple Perl (5.6.1+) script to help you keep your Snort signatures current with little or no user interaction. It's extremely easy to install and operate, and also easy to integrate with other scripts and applications if needed.
It runs on most Unix-like systems (Linux, *BSD, Solaris, Mac OS X, etc) and also on Windows with either Cygwin or ActivePerl. As of Oinkmaster 1.0, you don't need any external binaries if you have the right Perl modules (which are already included in ActivePerl).
Can be used to update the official Snort (VRT licensed) rules, the community rules and third party rules such as the Bleeding Snort rules. You can even download multiple rules archives at the same time.
Oinkmaster's contrib directory contains several useful scripts related to rules management, like adding SIDs to rules that don't have any, creating SID maps (sid-msg.map), and so on.
Oinkmaster and all the contrib scripts are released under the BSD license.
Can disable and enable specified rules and also make arbitrary modifications (by using regular expressions, optionally by using templates) to them after each update. The most common usage is to disable rules that are not suitable for your environment, so that you don't have to disable them manually each time you download the new rules. The modification feature can for example be used to switch $HOME_NET/$EXTERNAL_NET in specific (or all) rules, or replace "alert" with "drop" if you're running Snort_inline, and so on. See oinkmaster.conf for more examples.
You can mark certain rules as being "locally modified" to prevent them from being updated.
It will print what had changed since the last update, so you'll have total control of what's going on. The result can be printed in a few different formats.
Centralized rules management - It can easily be used to distribute rules (both the official and your homemade ones) between multiple sensors with ability to use a global configuration file and also sensor-specific settings on each sensor. The rules archive can be received by using http, https, ftp, scp or copied from local filesystem.
It's not trying to be too smart and understand every part of the signatures and should therefore not be confused when new keywords are introduced etc. (Should a rule line fail to parse, it will simply be regarded as a non-rule line instead, and those are actually updated too anyway.)
I've at least tried to document everything.
Includes the beginning of a GUI written in Perl/Tk. It should be fully working but probably needs more testing.
Can merge new variables from snort.conf in the distribution tarball into your local copy.
Handles multi-line rules (and so does the contrib scripts).
Can backup your old rules before overwriting them with the new ones.
Can skip certain files and also check for files that have been removed from the archive.
You can run in interactive mode. You will be asked to approve the changes (if any) before updating your local rules.
If there are duplicate SIDs in the downloaded rules archive, you will be warned and the duplicated rules are removed (in a semi-intelligent way) to avoid problems.
Oinkmaster can read any number of configuration files, either specified on the command line or by using 'include' statements, so you can use one global config and one sensor-specific config for finetuning etc.
Can be used in conjunction with other programs using Snort rules, like Prelude-NIDS.
What's New in This Release:
Minor feature enhancements and documentation updates were made.
Oinkmaster 2.0 keywords