Manging Sagan rule sets with Oinkmaster is incredibly similar to managing Snort rules with Oinkmaster (suprising, eh?). Below is a small example oinkmaster configuration file. Also, Oinkmaster is not maintained any more so you may want to consider switching to PulledPork.

##############################################################################
# Simple oinkmaster.conf file used with Sagan.   You'll probably notice that #
# this is incredibly similar to using oinkmaster with Snort (suprise!).      #
#                                                                            #
#           You _WILL_ want to modify this for your own usage!               #
##############################################################################

# URL for the stable rules.  If you want to play with new rules,  check the
# Sagan SVN rule set.   The "sagan-rule-current.tar.gz" will always be linked
# to the latest rule set. 

url = http://sagan.softwink.com/rules/sagan-rules-current.tar.gz

path = /bin:/usr/bin:/usr/local/bin

# This looks pretty standard,  however,  note the ".rulebase".  These are for
# the liblognorm normalization rulebase files. 
#
update_files = \.rulebase$|\.rules$|\.config$|\.conf$|\.txt$|\.map$

# Simple example of modifying a rule. 

modifysid 5000543 "^alert" | "drop"

# Example of disabling riles....
#
disablesid 5000307      # [WINDOWS] Privileged Service Called [**]
disablesid 5000304      # [WINDOWS] Successful user logoff
disablesid 5000305      # [WINDOWS] Successful user logon
disablesid 5000761      # [CISCO-PIXASA] No matching connection for ICMP error
disablesid 5000054      # [CISCO-IOS] Line protocol changed state up/down

-- ChampClark - 2011-03-16

Topic revision: r1 - 2011-03-16 - ChampClark
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback