Description

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Installation

First download and uncompress:

$ cd /data/src/
$ wget http://downloads.sourceforge.net/project/oinkmaster/oinkmaster/2.0/oinkmaster-2.0.tar.gz
$ tar xzvf oinkmaster-2.0.tar.gz
$ cd oinkmaster-2.0/

Then copy oinkmaster.pl to /usr/local/bin/:

# cp oinkmaster.pl /usr/local/bin/

And copy oinkmaster.conf in /usr/local/etc/:

# cp oinkmaster.conf /usr/local/etc/

If you also wish to install the man page, proceed as follows:

# cp oinkmaster.1 /usr/local/man/man1/

Configuration

Edit oinkmaster.conf:

# vim /usr/local/etc/oinkmaster.conf

Comment out and adapt following lines (replace "ad17...868d" with your oinkcode):

url = http ://www.snort.org/pub-bin/oinkmaster.cgi/ad1761a327a375d9123480069bf88cdfg82a868d/snortrules-snapshot-2.8.tar.gz
path = /bin :/usr/bin :/usr/local/bin
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
skipfile local.rules
skipfile deleted.rules
skipfile snort.conf

Usage

Syntax

$ oinkmaster -o <outputdir> [options]

Options

-b <dir>

Backup your old rules into <dir> before overwriting them

-c

Careful mode (dry run) - check for changes but do not update anything

-C <file>

Use this configuration file instead of the default

May be specified multiple times to load multiple files

-e

Enable all rules that are disabled by default

-h

Show this usage information

-i

Interactive mode - you will be asked to approve the changes (if any)

-m

Minimize diff when printing result by removing common parts in rules

-o

Output directory for rules

-q

Quiet mode - no output unless changes were found

-Q

Super-quiet mode - like -q but even more quiet

-r

Check for rules files that exist in the output directory but not in the downloaded rules archive

-s

Leave out details in rules results, just print SID, msg and filename

-S <file>

Look for new variables in this file in the downloaded archive instead of the default (snort.conf). Used in conjunction with -U.

May be specified multiple times to search multiple files.

-T

Config test - just check configuration file(s) for errors/warnings

-u <url>

Download from this URL instead of URL(s) in the configuration file (http|https|ftp|file|scp:// ... .tar.gz|.gz, or dir://<dir>)

May be specified multiple times to grab multiple rules archives

-U <file>

Merge new variables from downloaded snort.conf(s) into <file>

-v

Verbose mode (debug)

-V

Show version and exit

Start Oinkmaster

To start Oinkmaster, just issue:

# /usr/local/bin/oinkmaster.pl -o /etc/snort/rules/

Automatize Oinkmaster

Edit your crontab:

$ crontab -e

And add following line (the example automatically checks for the presence of new rules every day at 2:30am):

30 2 * * * oinkmaster.pl -o /etc/snort/rules/ -b /etc/snort/backup 2>&1 |logger -t oinkmaster