lunar (1) oinkmaster.1.gz

Provided by: oinkmaster_2.0-4.1_all bug

NAME

       oinkmaster - update Snort signatures

SYNOPSIS

       oinkmaster -o outdir [options]

DESCRIPTION

       Oinkmaster  is  simple tool that helps you keep your Snort rules current with little or no
       user interaction. It downloads a tarball containing the new rules  and  can  then  enable,
       disable or even make arbitrary modifications to specified rules before updating your local
       rules files.  It will also tell you the exact changes from your previous rules.

OPTIONS

       The only required argument to Oinkmaster is -o outdir where outdir is the directory to put
       the  new  rules files in. This should be where you keep your rules locally. The downloaded
       files will be compared to the ones in here before possibly overwriting them.

       Optional arguments:

       -b dir If the rules have been modified, a tarball of your old rules will  be  put  in  dir
              before  overwriting  them  with  the  new  files.  No backup is done if no file has
              changed or if Oinkmaster is running in careful mode.

       -c     Run in careful mode. This means that Oinkmaster will only  check  for  updates  and
              print them, but not update anything.

       -C cfg Use   this   configuration   file  instead  of  the  default.   If  not  specified,
              oinkmaster.conf will be looked for in /etc/  and  then  /usr/local/etc/.   You  can
              specify  multiple -C cfg to load multiple configuration files.  They will be loaded
              in order of appearance on the command line. If an option is redefined, it overrides
              the  previous  value  (except  for  the "url" option, as you are allowed to specify
              multiple URLs).

       -e     Enable rules that are disabled by  default  in  the  downloaded  rules  archive  by
              removing  all  the  leading  "#"  from them. If there are any disabled rules in the
              archive, they will stay that way unless you use this option.   Remember  that  they
              are disabled for a reason (they may not even work), so use this option with care.

       -h     Show valid command line arguments with short descriptions

       -i     Enable  interactive  mode. You will be asked to approve the changes (if any) before
              updating anything.

       -m     Minimize/simplify the diff when printing result  for  modified  rules  by  removing
              common leading and trailing parts of the old and new rule so it's easier to see the
              actual change. A few characters to the left and to the right of the change are also
              printed  so  you  get some context.  The rev keyword is ignored when the comparison
              and removal of common parts is performed because it would often make the whole idea
              fail.   (If  you  feel  it's important to be able to verify that the rev number has
              increased when a rule has been updated, do not use the minimized diff mode.)

              Normally when a rule has changed the entire old and new versions are  printed,  but
              the  actual  change  between them can be hard to see if the rules are long, complex
              and many.

              The normal output could look like this:

              Old: alert tcp any any -> any 22 (msg: "foo"; flags: A+; rev:1;)
              New: alert tcp any any -> any 123 (msg: "foo"; flags: A+; rev:2;)

              When using -m it would instead look something like:

              Old: ...any any -> any 22 (msg: "foo";...
              New: ...any any -> any 123 (msg: "foo";...

       -q     Run in quiet mode. Nothing is printed unless there are changes in the rules  or  if
              there are errors or warnings.

       -Q     Run  in  super-quiet mode. This is the same as -q but even more quiet when printing
              the results (the "None." stuff is not printed). It will also  suppress  some  other
              warning  messages  such  as  those  for  duplicate  SIDs and non-matching modifysid
              expressions.

       -r     Check for rules files that exist in the output directory but not in the  downloaded
              rules archive, i.e. files that may have been removed from the distribution archive.

       -s     Leave out details when printing results (aka bmc mode).  This means that the entire
              added / removed / modified rules will not  be  printed,  just  their  SID  and  msg
              string, plus the filename.  Non-rule changes are printed as usual. This output mode
              could be useful for example if you send the output by email  to  people  who  don't
              really  care  about  the  details  of  the rules, just the fact that they have been
              updated. Example output when running with -s

              [+++]          Added rules:          [+++]

                  1607 - WEB-CGI HyperSeek hsx.cgi access (web-cgi.rules)
                  1775 - MYSQL root login attempt (mysql.rules)

              [///]     Modified active rules:     [///]

                   302 - EXPLOIT Redhat 7.0 lprd overflow (exploit.rules)
                   304 - EXPLOIT SCO calserver overflow (exploit.rules)
                   305 - EXPLOIT delegate proxy overflow (exploit.rules)
                   306 - EXPLOIT VQServer admin (exploit.rules)

       -S file
              Used in conjuction with  with  -U  to  specify  which  file(s)  in  the  downloaded
              archive(s)  to search for new variables. When not specified, snort.conf is checked.
              You may specify multiple -S file to search for new variables in multiple files.

       -T     Check the configuration file(s) for fatal errors and then exit.   Possible  warning
              messages are printed as well.

       -u url Download  the  rules  archive  from  url  instead  of the location specified in the
              configuration file.  It must start  with  file://,  ftp://,  http://,  https://  or
              scp://  and  end  with  ".tar.gz"  or  ".tgz".  The  file must be a gzipped tarball
              containing a directory named "rules", holding all the  rules  files.  It  must  not
              contain   any   symlinks.   You   can   also   point  to  a  local  directory  with
              dir://<directory>. For the official Snort rules, the URL  to  use  depends  on  the
              version  of  Snort you run and it might also require registration.  Visit the rules
              download section at the Snort web site to find the right URL and more  information.
              Remember to update the URL when upgrading to a new major version of Snort.

              You  may  specify  multiple  -u  url to grab multiple rules archives from different
              locations. All rules files in the archives will be put in the same output directory
              so if the same filename exists in multiple archives, Oinkmaster will print an error
              message and exit. That's why it's usually recommended  to  instead  run  Oinkmaster
              once  for  each URL and use separate output directories. If -u url is specified, it
              overrides any URLs specified in the configuration file(s). Note  that  if  multiple
              URLs  are  specified  and  one  of them is broken, Oinkmaster will exit immediately
              without further processing. This can be good or bad, depending on the situation.

       -U file
              Variables (i.e. "var foo bar" lines) that exist in downloaded snort.conf but not in
              file  will  be  added  to  file  right  after  any  other variables it may contain.
              Modified existing variables are not merged, only new ones.  file is  normally  your
              production  copy  of  snort.conf  (which  should  not  be a file that is updated by
              Oinkmaster the normal way).  This feature is to prevent Snort from breaking in case
              there  are  new  variables added in the downloaded rules, as Snort can not start if
              the rules use variables that aren't defined anywhere. By default when  using  -U  ,
              the  file  snort.conf in the downloaded archive is search for new variables but you
              can override this with the -S file argument. If you download  from  multiple  URLs,
              Oinkmaster will look for a snort.conf in each downloaded rules archive.

       -v     Run  in  verbose/debug mode. Should probably only be used in case you need to debug
              your settings, like verifying complex modifysid statements.  It will also tell  you
              if  you  try  to  use  "disablesid"  on  non-existent  SIDs.  Warnings  about using
              enablesid/localsid/modifysid on non-existent SIDs are always printed unless running
              in  quiet  mode,  as those are usually more important (using "disablesid" on a non-
              existent rule is a NOOP anyway).

       -V     Show version and exit.

EXAMPLES

       Download rules archive from default location specified in oinkmaster.conf and put the  new
       rules in /etc/rules/:

           oinkmaster -o /etc/rules

       Grab  rules  archive  from  local  filesystem and do not print anything unless it contains
       updated rules:

           oinkmaster -u file:///tmp/rules.tar.gz -o /etc/rules -q

       Download rules archive from default location, make backup  of  old  rules  if  there  were
       updates,  and  send output by e-mail. (Note however that if you plan on distributing files
       with Oinkmaster that could be considered sensitive,  such  as  Snort  configuration  files
       containing  database passwords, you should of course not send the output by e-mail without
       first encrypting the content.):

           oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 | \
           mail -s "subject" user@example.com

       Grab three  different  rules  archives  and  merge  variables  that  exist  in  downloaded
       snort.conf and foo.conf but not in local /etc/snort/snort.conf:

           oinkmaster -u file:///tmp/foo.rules.tar.gz \
           -u http://somewhere/rules.tar.gz -u https://blah/rules.tar.gz \
           -o /etc/rules -S snort.conf -S foo.conf -U /etc/snort/snort.conf

       Load  settings  from  two different files, use scp to download rules archive from a remote
       host where you have put the rules archive, merge variables from downloaded snort.conf, and
       send  results  by  e-mail only if anything changed or if there were any error messages. It
       assumes that the "mktemp" command is available on the system:

           TMP=`mktemp /tmp/oinkmaster.XXXXXX` && \
           (oinkmaster -C /etc/oinkmaster-global.conf \
           -C /etc/oinkmaster-sensor.conf -o /etc/rules \
           -U /etc/snort.conf \
           -u scp://user@example.com:/home/user/rules.tar.gz \
           > $TMP 2>&1; if [ -s $TMP ]; then mail -s "subject" \
           you@example.com < $TMP; fi; rm $TMP)

FILES

       /etc/oinkmaster.conf
       /usr/local/etc/oinkmaster.conf

BUGS

       If you find a bug, report it by e-mail to the author. Always include as  much  information
       as possible.

HISTORY

       The  initial  version  was  released in early 2001 under the name arachnids_upd. It worked
       only with the ArachNIDS Snort rules, but as times changed, it was rewritten to  work  with
       the official Snort rules and the new name became Oinkmaster.

AUTHOR

       Andreas Ostling <andreas_ostling@bredband.net>

SEE ALSO

       The online documentation at http://oinkmaster.sf.net/ contains more information.

                                         January 14, 2004                           OINKMASTER(1)