Earl We face that problem (update snort rules from multiple sites). Our internal solution was the following:
1- Create Hw variable (HwSnort_Update_URL) used in "hwruleupdate" for set the Oinkmaster uptade repository. 2- Change the walleye interface (in the "Management Snort Rule" section) for accept an arbitrary URL repository. The URL is stored in the HW variable HwSnort_Update_URL. 3- Finally add "create-sidmap.pl /etc/snort/rules/ > /etc/snort/sid-msg.map " to "hwruleupdate" in the snort update section. This work in our test with the VRT and Community rules from different sites. Brgds Nelson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Earl Sent: Thursday, June 28, 2007 1:38 AM To: [email protected] Subject: Re: [Honeywall] Snort updates -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nelson, I was thinking that sid-msg.map would come down fresh with each rule update but that limits things to one rule repository. Telling oinkmaster to skip downloading it then running create-sidmap.pl (as you suggest) on the entire rule set post update will cover cases when people want ot configure things for updates from multiple rule repos. There might be other twaeks to add here to make it easier to reconfig for other rule repos... I was kinda rushed... did my best to get it working for just VRT rules with hopes that it would also be reconfigurable for other repos as well. Great tip. I'll get to this one soon. thanks! Earl On Wed, 27 Jun 2007 15:27:41 -0400 Nelson Williams <[EMAIL PROTECTED]> wrote: >Hello > >The honeywall is updating snort rules using Oinkmaster. But the >Oinkmaster >by default don't update the sidmap file for snort, so new update >rules will >not be named (displayed as "unknown signature") in the walleye >interface. > >The script "hwruleupdate" should need to run the following command >after >update the snort rules: > > > >create-sidmap.pl /etc/snort/rules/ > /etc/snort/sid-msg.map > > > >Brgds. > >nelson -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkaDRPQACgkQk7+e+4lPSm1r/QCfUUg/dh3xFDe4JpECa7a+MEMO7+EA niuQSnrWFVj8QvnQ/HyJgKANUZFG =jnDi -----END PGP SIGNATURE----- _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
