xenial (1) oinkmaster.1.gz

Provided by: oinkmaster_2.0-4_all bug

NAME

       oinkmaster - update Snort signatures

SYNOPSIS

       oinkmaster -o outdir [options]

DESCRIPTION

       Oinkmaster  is  simple  tool  that  helps  you  keep  your  Snort  rules  current  with little or no user
       interaction. It downloads a tarball containing the new rules and can then enable, disable  or  even  make
       arbitrary modifications to specified rules before updating your local rules files.  It will also tell you
       the exact changes from your previous rules.

OPTIONS

       The only required argument to Oinkmaster is -o outdir where outdir is the directory to put the new  rules
       files  in. This should be where you keep your rules locally. The downloaded files will be compared to the
       ones in here before possibly overwriting them.

       Optional arguments:

       -b dir If the rules have been modified, a tarball of your old rules will be put in dir before overwriting
              them  with  the new files. No backup is done if no file has changed or if Oinkmaster is running in
              careful mode.

       -c     Run in careful mode. This means that Oinkmaster will only check for updates and  print  them,  but
              not update anything.

       -C cfg Use  this  configuration  file  instead of the default.  If not specified, oinkmaster.conf will be
              looked for in /etc/ and then /usr/local/etc/.  You can specify multiple -C cfg  to  load  multiple
              configuration files.  They will be loaded in order of appearance on the command line. If an option
              is redefined, it overrides the previous value (except for the "url" option, as you are allowed  to
              specify multiple URLs).

       -e     Enable  rules  that  are  disabled  by default in the downloaded rules archive by removing all the
              leading "#" from them. If there are any disabled rules in the archive, they  will  stay  that  way
              unless  you  use  this  option.   Remember  that they are disabled for a reason (they may not even
              work), so use this option with care.

       -h     Show valid command line arguments with short descriptions

       -i     Enable interactive mode. You will be asked  to  approve  the  changes  (if  any)  before  updating
              anything.

       -m     Minimize/simplify  the diff when printing result for modified rules by removing common leading and
              trailing parts of the old and new rule so it's easier to see the actual change. A  few  characters
              to  the  left  and  to  the right of the change are also printed so you get some context.  The rev
              keyword is ignored when the comparison and removal of common parts is performed because  it  would
              often  make  the  whole  idea fail.  (If you feel it's important to be able to verify that the rev
              number has increased when a rule has been updated, do not use the minimized diff mode.)

              Normally when a rule has changed the entire old and new  versions  are  printed,  but  the  actual
              change between them can be hard to see if the rules are long, complex and many.

              The normal output could look like this:

              Old: alert tcp any any -> any 22 (msg: "foo"; flags: A+; rev:1;)
              New: alert tcp any any -> any 123 (msg: "foo"; flags: A+; rev:2;)

              When using -m it would instead look something like:

              Old: ...any any -> any 22 (msg: "foo";...
              New: ...any any -> any 123 (msg: "foo";...

       -q     Run in quiet mode. Nothing is printed unless there are changes in the rules or if there are errors
              or warnings.

       -Q     Run in super-quiet mode. This is the same as -q but even more quiet when printing the results (the
              "None." stuff is not printed). It will also suppress some other warning messages such as those for
              duplicate SIDs and non-matching modifysid expressions.

       -r     Check for rules files that exist in the output directory but not in the downloaded rules  archive,
              i.e. files that may have been removed from the distribution archive.

       -s     Leave  out  details  when  printing  results  (aka  bmc mode).  This means that the entire added /
              removed / modified rules will not be printed, just their SID and msg string,  plus  the  filename.
              Non-rule  changes  are  printed as usual. This output mode could be useful for example if you send
              the output by email to people who don't really care about the details of the rules, just the  fact
              that they have been updated. Example output when running with -s

              [+++]          Added rules:          [+++]

                  1607 - WEB-CGI HyperSeek hsx.cgi access (web-cgi.rules)
                  1775 - MYSQL root login attempt (mysql.rules)

              [///]     Modified active rules:     [///]

                   302 - EXPLOIT Redhat 7.0 lprd overflow (exploit.rules)
                   304 - EXPLOIT SCO calserver overflow (exploit.rules)
                   305 - EXPLOIT delegate proxy overflow (exploit.rules)
                   306 - EXPLOIT VQServer admin (exploit.rules)

       -S file
              Used  in  conjuction  with with -U to specify which file(s) in the downloaded archive(s) to search
              for new variables. When not specified, snort.conf is checked.  You may specify multiple -S file to
              search for new variables in multiple files.

       -T     Check  the  configuration  file(s)  for fatal errors and then exit.  Possible warning messages are
              printed as well.

       -u url Download the rules archive from url instead of the location specified in the  configuration  file.
              It  must start with file://, ftp://, http://, https:// or scp:// and end with ".tar.gz" or ".tgz".
              The file must be a gzipped tarball containing a directory named "rules",  holding  all  the  rules
              files.  It  must  not  contain  any  symlinks.  You  can  also  point  to  a  local directory with
              dir://<directory>. For the official Snort rules, the URL to use depends on the  version  of  Snort
              you run and it might also require registration.  Visit the rules download section at the Snort web
              site to find the right URL and more information. Remember to update the URL when  upgrading  to  a
              new major version of Snort.

              You  may  specify  multiple  -u  url to grab multiple rules archives from different locations. All
              rules files in the archives will be put in the same output  directory  so  if  the  same  filename
              exists  in  multiple  archives,  Oinkmaster  will print an error message and exit. That's why it's
              usually recommended to  instead  run  Oinkmaster  once  for  each  URL  and  use  separate  output
              directories. If -u url is specified, it overrides any URLs specified in the configuration file(s).
              Note that if multiple URLs are  specified  and  one  of  them  is  broken,  Oinkmaster  will  exit
              immediately without further processing. This can be good or bad, depending on the situation.

       -U file
              Variables  (i.e.  "var foo bar" lines) that exist in downloaded snort.conf but not in file will be
              added to file right after any other variables it may contain.  Modified existing variables are not
              merged, only new ones.  file is normally your production copy of snort.conf (which should not be a
              file that is updated by Oinkmaster the normal  way).   This  feature  is  to  prevent  Snort  from
              breaking  in case there are new variables added in the downloaded rules, as Snort can not start if
              the rules use variables that aren't defined  anywhere.  By  default  when  using  -U  ,  the  file
              snort.conf  in  the  downloaded archive is search for new variables but you can override this with
              the -S file argument. If you download from multiple URLs, Oinkmaster will look for a snort.conf in
              each downloaded rules archive.

       -v     Run  in  verbose/debug mode. Should probably only be used in case you need to debug your settings,
              like verifying complex modifysid statements.  It will also tell you if you try to use "disablesid"
              on  non-existent  SIDs. Warnings about using enablesid/localsid/modifysid on non-existent SIDs are
              always printed unless  running  in  quiet  mode,  as  those  are  usually  more  important  (using
              "disablesid" on a non-existent rule is a NOOP anyway).

       -V     Show version and exit.

EXAMPLES

       Download  rules  archive  from  default  location  specified  in oinkmaster.conf and put the new rules in
       /etc/rules/:

           oinkmaster -o /etc/rules

       Grab rules archive from local filesystem and do not print anything unless it contains updated rules:

           oinkmaster -u file:///tmp/rules.tar.gz -o /etc/rules -q

       Download rules archive from default location, make backup of old rules if there were  updates,  and  send
       output  by  e-mail.  (Note  however  that if you plan on distributing files with Oinkmaster that could be
       considered sensitive, such as Snort configuration files containing  database  passwords,  you  should  of
       course not send the output by e-mail without first encrypting the content.):

           oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 | \
           mail -s "subject" user@example.com

       Grab  three different rules archives and merge variables that exist in downloaded snort.conf and foo.conf
       but not in local /etc/snort/snort.conf:

           oinkmaster -u file:///tmp/foo.rules.tar.gz \
           -u http://somewhere/rules.tar.gz -u https://blah/rules.tar.gz \
           -o /etc/rules -S snort.conf -S foo.conf -U /etc/snort/snort.conf

       Load settings from two different files, use scp to download rules archive from a remote  host  where  you
       have  put  the rules archive, merge variables from downloaded snort.conf, and send results by e-mail only
       if anything changed or if there were any  error  messages.  It  assumes  that  the  "mktemp"  command  is
       available on the system:

           TMP=`mktemp /tmp/oinkmaster.XXXXXX` && \
           (oinkmaster -C /etc/oinkmaster-global.conf \
           -C /etc/oinkmaster-sensor.conf -o /etc/rules \
           -U /etc/snort.conf \
           -u scp://user@example.com:/home/user/rules.tar.gz \
           > $TMP 2>&1; if [ -s $TMP ]; then mail -s "subject" \
           you@example.com < $TMP; fi; rm $TMP)

FILES

       /etc/oinkmaster.conf
       /usr/local/etc/oinkmaster.conf

BUGS

       If you find a bug, report it by e-mail to the author. Always include as much information as possible.

HISTORY

       The  initial  version  was  released  in early 2001 under the name arachnids_upd. It worked only with the
       ArachNIDS Snort rules, but as times changed, it was rewritten to work with the official Snort  rules  and
       the new name became Oinkmaster.

AUTHOR

       Andreas Ostling <andreas_ostling@bredband.net>

SEE ALSO

       The online documentation at http://oinkmaster.sf.net/ contains more information.

                                                January 14, 2004                                   OINKMASTER(1)