EnglishFrenchSpanish

OnWorks favicon

oinkmaster - Online in the Cloud

Run oinkmaster in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command oinkmaster that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


oinkmaster - update Snort signatures

SYNOPSIS


oinkmaster -o outdir [options]

DESCRIPTION


Oinkmaster is simple tool that helps you keep your Snort rules current with little or no
user interaction. It downloads a tarball containing the new rules and can then enable,
disable or even make arbitrary modifications to specified rules before updating your local
rules files. It will also tell you the exact changes from your previous rules.

OPTIONS


The only required argument to Oinkmaster is -o outdir where outdir is the directory to put
the new rules files in. This should be where you keep your rules locally. The downloaded
files will be compared to the ones in here before possibly overwriting them.

Optional arguments:

-b dir If the rules have been modified, a tarball of your old rules will be put in dir
before overwriting them with the new files. No backup is done if no file has
changed or if Oinkmaster is running in careful mode.

-c Run in careful mode. This means that Oinkmaster will only check for updates and
print them, but not update anything.

-C cfg Use this configuration file instead of the default. If not specified,
oinkmaster.conf will be looked for in /etc/ and then /usr/local/etc/. You can
specify multiple -C cfg to load multiple configuration files. They will be loaded
in order of appearance on the command line. If an option is redefined, it overrides
the previous value (except for the "url" option, as you are allowed to specify
multiple URLs).

-e Enable rules that are disabled by default in the downloaded rules archive by
removing all the leading "#" from them. If there are any disabled rules in the
archive, they will stay that way unless you use this option. Remember that they
are disabled for a reason (they may not even work), so use this option with care.

-h Show valid command line arguments with short descriptions

-i Enable interactive mode. You will be asked to approve the changes (if any) before
updating anything.

-m Minimize/simplify the diff when printing result for modified rules by removing
common leading and trailing parts of the old and new rule so it's easier to see the
actual change. A few characters to the left and to the right of the change are also
printed so you get some context. The rev keyword is ignored when the comparison
and removal of common parts is performed because it would often make the whole idea
fail. (If you feel it's important to be able to verify that the rev number has
increased when a rule has been updated, do not use the minimized diff mode.)

Normally when a rule has changed the entire old and new versions are printed, but
the actual change between them can be hard to see if the rules are long, complex
and many.

The normal output could look like this:

Old: alert tcp any any -> any 22 (msg: "foo"; flags: A+; rev:1;)
New: alert tcp any any -> any 123 (msg: "foo"; flags: A+; rev:2;)

When using -m it would instead look something like:

Old: ...any any -> any 22 (msg: "foo";...
New: ...any any -> any 123 (msg: "foo";...

-q Run in quiet mode. Nothing is printed unless there are changes in the rules or if
there are errors or warnings.

-Q Run in super-quiet mode. This is the same as -q but even more quiet when printing
the results (the "None." stuff is not printed). It will also suppress some other
warning messages such as those for duplicate SIDs and non-matching modifysid
expressions.

-r Check for rules files that exist in the output directory but not in the downloaded
rules archive, i.e. files that may have been removed from the distribution archive.

-s Leave out details when printing results (aka bmc mode). This means that the entire
added / removed / modified rules will not be printed, just their SID and msg
string, plus the filename. Non-rule changes are printed as usual. This output mode
could be useful for example if you send the output by email to people who don't
really care about the details of the rules, just the fact that they have been
updated. Example output when running with -s

[+++] Added rules: [+++]

1607 - WEB-CGI HyperSeek hsx.cgi access (web-cgi.rules)
1775 - MYSQL root login attempt (mysql.rules)

[///] Modified active rules: [///]

302 - EXPLOIT Redhat 7.0 lprd overflow (exploit.rules)
304 - EXPLOIT SCO calserver overflow (exploit.rules)
305 - EXPLOIT delegate proxy overflow (exploit.rules)
306 - EXPLOIT VQServer admin (exploit.rules)

-S file
Used in conjuction with with -U to specify which file(s) in the downloaded
archive(s) to search for new variables. When not specified, snort.conf is checked.
You may specify multiple -S file to search for new variables in multiple files.

-T Check the configuration file(s) for fatal errors and then exit. Possible warning
messages are printed as well.

-u url Download the rules archive from url instead of the location specified in the
configuration file. It must start with file://, ftp://, http://, https:// or
scp:// and end with ".tar.gz" or ".tgz". The file must be a gzipped tarball
containing a directory named "rules", holding all the rules files. It must not
contain any symlinks. You can also point to a local directory with
dir://<directory>. For the official Snort rules, the URL to use depends on the
version of Snort you run and it might also require registration. Visit the rules
download section at the Snort web site to find the right URL and more information.
Remember to update the URL when upgrading to a new major version of Snort.

You may specify multiple -u url to grab multiple rules archives from different
locations. All rules files in the archives will be put in the same output directory
so if the same filename exists in multiple archives, Oinkmaster will print an error
message and exit. That's why it's usually recommended to instead run Oinkmaster
once for each URL and use separate output directories. If -u url is specified, it
overrides any URLs specified in the configuration file(s). Note that if multiple
URLs are specified and one of them is broken, Oinkmaster will exit immediately
without further processing. This can be good or bad, depending on the situation.

-U file
Variables (i.e. "var foo bar" lines) that exist in downloaded snort.conf but not in
file will be added to file right after any other variables it may contain.
Modified existing variables are not merged, only new ones. file is normally your
production copy of snort.conf (which should not be a file that is updated by
Oinkmaster the normal way). This feature is to prevent Snort from breaking in case
there are new variables added in the downloaded rules, as Snort can not start if
the rules use variables that aren't defined anywhere. By default when using -U ,
the file snort.conf in the downloaded archive is search for new variables but you
can override this with the -S file argument. If you download from multiple URLs,
Oinkmaster will look for a snort.conf in each downloaded rules archive.

-v Run in verbose/debug mode. Should probably only be used in case you need to debug
your settings, like verifying complex modifysid statements. It will also tell you
if you try to use "disablesid" on non-existent SIDs. Warnings about using
enablesid/localsid/modifysid on non-existent SIDs are always printed unless running
in quiet mode, as those are usually more important (using "disablesid" on a non-
existent rule is a NOOP anyway).

-V Show version and exit.

EXAMPLES


Download rules archive from default location specified in oinkmaster.conf and put the new
rules in /etc/rules/:

oinkmaster -o /etc/rules

Grab rules archive from local filesystem and do not print anything unless it contains
updated rules:

oinkmaster -u file:///tmp/rules.tar.gz -o /etc/rules -q

Download rules archive from default location, make backup of old rules if there were
updates, and send output by e-mail. (Note however that if you plan on distributing files
with Oinkmaster that could be considered sensitive, such as Snort configuration files
containing database passwords, you should of course not send the output by e-mail without
first encrypting the content.):

oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 | \
mail -s "subject" [email protected]

Grab three different rules archives and merge variables that exist in downloaded
snort.conf and foo.conf but not in local /etc/snort/snort.conf:

oinkmaster -u file:///tmp/foo.rules.tar.gz \
-u http://somewhere/rules.tar.gz -u https://blah/rules.tar.gz \
-o /etc/rules -S snort.conf -S foo.conf -U /etc/snort/snort.conf

Load settings from two different files, use scp to download rules archive from a remote
host where you have put the rules archive, merge variables from downloaded snort.conf, and
send results by e-mail only if anything changed or if there were any error messages. It
assumes that the "mktemp" command is available on the system:

TMP=`mktemp /tmp/oinkmaster.XXXXXX` && \
(oinkmaster -C /etc/oinkmaster-global.conf \
-C /etc/oinkmaster-sensor.conf -o /etc/rules \
-U /etc/snort.conf \
-u scp://[email protected]:/home/user/rules.tar.gz \
> $TMP 2>&1; if [ -s $TMP ]; then mail -s "subject" \
[email protected] < $TMP; fi; rm $TMP)

Use oinkmaster online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

Linux commands

  • 1
    411toppm
    411toppm
    411toppm - convert Sony Mavica411 image
    to ppm ...
    Run 411toppm
  • 2
    a+
    a+
    Use a+ online using onworks.net
    services. ...
    Run a+
  • 3
    coresendmsg
    coresendmsg
    coresendmsg - send a CORE API message
    to the core-daemon daemon ...
    Run coresendmsg
  • 4
    core_server
    core_server
    core_server - The primary server for
    SpamBayes. DESCRIPTION: Currently serves
    the web interface only. Plugging in
    listeners for various protocols is TBD.
    This ...
    Run core_server
  • 5
    g.findfilegrass
    g.findfilegrass
    g.findfile - Searches for GRASS data
    base files and sets variables for the
    shell. KEYWORDS: general, map
    management, scripts ...
    Run g.findfilegrass
  • 6
    g.gisenvgrass
    g.gisenvgrass
    g.gisenv - Outputs and modifies the
    user�s current GRASS variable settings.
    Prints all defined GRASS variables if no
    option is given. KEYWORDS: general,
    settin...
    Run g.gisenvgrass
  • More »

Ad