--- oinkmaster-2.0.orig/README.gui +++ oinkmaster-2.0/README.gui @@ -1,4 +1,4 @@ -# $Id: README.gui,v 1.19 2006/01/28 21:46:12 andreas_o Exp $ # +# $Id: README.gui,v 1.20 2006/10/12 08:55:47 andreas_o Exp $ # Intro ~~~~~ @@ -8,8 +8,7 @@ is not the prettiest interface you've seen, but it kind of works. It runs on most Unix-like systems and also on Windows with ActivePerl. It's not well-written and may not be a high priority for me in the -future, so use at your own risk. Send feedback to Andreas Östling -. +future, so use at your own risk. --- oinkmaster-2.0.orig/oinkmaster.pl +++ oinkmaster-2.0/oinkmaster.pl @@ -1,8 +1,8 @@ #!/usr/bin/perl -w -# $Id: oinkmaster.pl,v 1.406 2006/02/10 13:02:44 andreas_o Exp $ # +# $Id: oinkmaster.pl,v 1.413 2008/02/18 19:38:08 andreas_o Exp $ # -# Copyright (c) 2001-2006 Andreas Östling +# Copyright (c) 2001-2008 Andreas Östling # All rights reserved. # # Redistribution and use in source and binary forms, with or @@ -58,6 +58,8 @@ sub process_rules($ $ $ $ $ $); sub process_rule($ $ $ $ $ $ $ $); sub setup_rules_hash($ $); +sub check_flowbits_dependencies($); +sub parse_flowbits($ $ $); sub get_first_only($ $ $); sub print_changes($ $); sub print_changetype($ $ $ $); @@ -82,10 +84,9 @@ sub clean_exit($); -my $VERSION = 'Oinkmaster v2.0, Copyright (C) 2001-2006 '. - 'Andreas Östling '; +my $VERSION = 'Oinkmaster v2.0, Copyright (C) 2001-2008 '. + 'Andreas Östling '; my $OUTFILE = 'snortrules.tar.gz'; -my $RULES_DIR = 'rules'; my $PRINT_NEW = 1; my $PRINT_OLD = 2; @@ -108,6 +109,9 @@ use_external_bins => 1, verbose => 0, use_path_checks => 1, + rules_dir => 'rules', + path => '/bin:/usr/bin:/usr/local/bin', + update_files => '\.rules$|\.config$|\.conf$|\.txt$|\.map$', rule_actions => "alert|drop|log|pass|reject|sdrop|activate|dynamic", tmp_basedir => $ENV{TMP} || $ENV{TMPDIR} || $ENV{TEMPDIR} || '/tmp', ); @@ -232,22 +236,22 @@ foreach my $url (@{$config{url}}) { my $url_tmpdir = tempdir("url.XXXXXXXXXX", DIR => $tmpdir) or clean_exit("could not create temporary directory in $tmpdir: $!"); - push(@url_tmpdirs, "$url_tmpdir/$RULES_DIR"); + push(@url_tmpdirs, "$url_tmpdir/$config{rules_dir}"); if ($url =~ /^dir:\/\/(.+)/) { - mkdir("$url_tmpdir/$RULES_DIR") - or clean_exit("Could not create $url_tmpdir/$RULES_DIR"); - copy_rules($1, "$url_tmpdir/$RULES_DIR"); + mkdir("$url_tmpdir/$config{rules_dir}") + or clean_exit("Could not create $url_tmpdir/$config{rules_dir}"); + copy_rules($1, "$url_tmpdir/$config{rules_dir}"); } else { download_file($url, "$url_tmpdir/$OUTFILE"); - unpack_rules_archive("$url", "$url_tmpdir/$OUTFILE", $RULES_DIR); + unpack_rules_archive("$url", "$url_tmpdir/$OUTFILE", $config{rules_dir}); } } -# Copy all rules files from the tmp dirs into $RULES_DIR in the tmp directory. +# Copy all rules files from the tmp dirs into $config{rules_dir} in the tmp directory. # File matching 'skipfile' a directive will not be copied. # Filenames (with full path) will be stored as %new_files{filename}. # Will exit in case of duplicate filenames. -my $num_files = join_tmp_rules_dirs("$tmpdir/$RULES_DIR", \my %new_files, @url_tmpdirs); +my $num_files = join_tmp_rules_dirs("$tmpdir/$config{rules_dir}", \my %new_files, @url_tmpdirs); # Make sure we have at least the minimum number of files. clean_exit("not enough rules files in downloaded rules archive(s).\n". @@ -274,12 +278,14 @@ my %rh = setup_rules_hash(\%new_files, $config{output_dir}); # Compare the new rules to the old ones. -my %changes = get_changes(\%rh, \%new_files, $RULES_DIR); +my %changes = get_changes(\%rh, \%new_files, $config{rules_dir}); # Check for variables that exist in dist snort.conf(s) but not in local snort.conf. get_new_vars(\%changes, \@{$config{dist_var_files}}, $config{varfile}, \@url_tmpdirs) if ($config{update_vars}); +# Check for broken flowbits dependencies. +check_flowbits_dependencies(\%rh); # Find out if something had changed. my $something_changed = 0; @@ -622,8 +628,12 @@ } } elsif (/^url\s*=\s*(.*)/i) { - push(@{$$cfg_ref{url}}, $1) - unless ($$cfg_ref{cmdline_url}); + if ($$cfg_ref{cmdline_url}) { + warn("URL already set on command line, ignoring URL in configuration file\n") + unless ($config{quiet}); + } else { + push(@{$$cfg_ref{url}}, $1); + } } elsif (/^path\s*=\s*(.+)/i) { $$cfg_ref{path} = $1; @@ -658,6 +668,9 @@ } elsif (/^user_agent\s*=\s*(.+)/i) { $$cfg_ref{user_agent} = $1; + } elsif (/^rules_dir\s*=\s*(.+)/i) { + $$cfg_ref{rules_dir} = $1; + } elsif (/^include\s+(\S+.*)/i) { my $include = $1; read_config($include, $cfg_ref); @@ -788,20 +801,25 @@ push(@{$config{url}}, $ok_url); } - # Wget must be found if url is http[s]:// or ftp://. - if ($config{use_external_bins}) { - clean_exit("wget not found in PATH ($ENV{PATH}).") - if ($config{'url'} =~ /^(https*|ftp):/ && !is_in_path("wget")); - } + # Look for binaries that are only required in certain situations. + foreach my $url (@{$config{url}}) { + if ($config{use_external_bins}) { + # Wget must be found if any URL is http[s]:// or ftp://. + clean_exit("wget not found in PATH ($ENV{PATH})\n" . + "Install wget if missing, or update \"path = ...\" in Oinkmaster configuration file") + if ($url =~ /^(https*|ftp):/ && !is_in_path("wget")); + } - # scp must be found if scp://... - clean_exit("scp not found in PATH ($ENV{PATH}).") - if ($config{'url'} =~ /^scp:/ && !is_in_path("scp")); - - # ssh key must exist if specified and url is scp://... - clean_exit("ssh key \"$config{scp_key}\" does not exist.") - if ($config{'url'} =~ /^scp:/ && exists($config{scp_key}) - && !-e $config{scp_key}); + # scp must be found if scp://... regardless of use_external_bins value + if ($url =~ /^scp:/) { + clean_exit("scp not found in PATH ($ENV{PATH}).") + unless (is_in_path("scp")); + + # ssh key must exist if specified and url is scp://... + clean_exit("ssh key \"$config{scp_key}\" does not exist.") + if (exists($config{scp_key})&& !-e $config{scp_key}); + } + } # Untaint output directory string. $config{output_dir} = untaint_path($config{output_dir}); @@ -1201,10 +1219,11 @@ my %sids; my %stats = ( - disabled => 0, - enabled => 0, - modified => 0, - total => 0, + disablesid => 0, + enablesid => 0, + modifysid => 0, + localsid => 0, + total => 0, ); warn("WARNING: all rules that are disabled by default will be enabled\n") @@ -1260,7 +1279,7 @@ # Is it a dup? If so, see if this seems to be more recent (higher rev). if (exists($sids{$sid})) { warn("\nWARNING: duplicate SID in downloaded archive, SID=$sid, ". - "only keeping rule with highest 'rev'\n") + "trying to keep active rule with highest 'rev'\n") unless($config{super_quiet}); my ($old_rev) = ($sids{$sid}{single} =~ /\brev\s*:\s*(\d+)\s*;/); @@ -1329,6 +1348,7 @@ print OUTFILE $$rh_tmp_ref{old}{rules}{basename($file)}{$sid}; $sids{$sid}{printed} = 1; + $stats{localsid}++; warn("SID $sid is marked as local, keeping your version from ". basename($file) . ".\n". @@ -1376,8 +1396,8 @@ close(OUTFILE); } - print STDERR "disabled $stats{disabled}, enabled $stats{enabled}, ". - "modified $stats{modified}, total=$stats{total}\n" + print STDERR "disablesid $stats{disablesid}, enablesid $stats{enablesid}, ". + "modifysid $stats{modifysid}, localsid $stats{localsid}, total rules $stats{total}\n" unless ($config{quiet}); # Print warnings on attempt at enablesid/disablesid/localsid on non-existent @@ -1454,7 +1474,7 @@ $multi =~ s/^#*//; $multi =~ s/\n#*/\n/g; $single =~ s/^#*//; - $$stats_ref{enabled}++; + $$stats_ref{enablesid}++; } # Modify rule if requested. For disablesid/enablesid we work @@ -1497,7 +1517,7 @@ print STDERR "After: $single\n" if ($print_messages && $config{verbose}); - $$stats_ref{modified}++; + $$stats_ref{modifysid}++; } else { if ($print_modify_warnings) { warn("WARNING: SID $sid does not match modifysid ". @@ -1511,14 +1531,14 @@ if (exists($$disable_sid_ref{$sid}) && $multi !~ /^\s*#/) { $multi = "#$multi"; $multi =~ s/\n([^#].+)/\n#$1/g; - $$stats_ref{disabled}++; + $$stats_ref{disablesid}++; } # Enable rule if requested and it's not already enabled. if (exists($$enable_sid_ref{$sid}) && $multi =~ /^\s*#/) { $multi =~ s/^#+//; $multi =~ s/\n#+(.+)/\n$1/g; - $$stats_ref{enabled}++; + $$stats_ref{enablesid}++; } $$rule_ref{single} = $single; @@ -1558,6 +1578,7 @@ while (get_next_entry(\@newfile, \$single, \$multi, \$nonrule, \$msg, \$sid)) { if (defined($single)) { $rh{new}{rules}{"$file"}{"$sid"} = $single; + parse_flowbits(\%rh, $single, $sid); } else { push(@{$rh{new}{other}{"$file"}}, $nonrule); } @@ -1573,12 +1594,12 @@ while (get_next_entry(\@oldfile, \$single, \$multi, \$nonrule, undef, \$sid)) { if (defined($single)) { - warn("\nWARNING: duplicate SID in your local rules, SID ". - "$sid exists multiple times, you may need to fix this manually!\n") - if (exists($old_sids{$sid})); + warn("\nWARNING: duplicate SID in your local rules, active rule with SID ". + "$sid exists multiple times, you may need to fix this manually if the problem persists!\n") + if (exists($old_sids{$sid}) && ($single !~ /^#/ && $old_sids{$sid} !~ /^#/)); $rh{old}{rules}{"$file"}{"$sid"} = $single; - $old_sids{$sid}++; + $old_sids{$sid} = $single; } else { push(@{$rh{old}{other}{"$file"}}, $nonrule); } @@ -2713,6 +2734,84 @@ } + +# Check if some active rule depends on flowbits that is not +# set in any other active rule. +sub check_flowbits_dependencies($) +{ + my $rh_ref = shift; + + # No flowbits check in super quiet mode. + return if ($config{super_quiet}); + + print STDERR "Checking flowbits dependencies... " + unless ($config{quiet}); + + my $warnings = ""; + + + # Check for rules that checks for flowbits that are never set/toggled. + foreach my $sid (keys(%{$$rh_ref{flowbits_check_dependency}})) { + my $depend_bit = $$rh_ref{flowbits_check_dependency}{$sid}; + + unless (exists($$rh_ref{flowbits_active_set}{$depend_bit})) { + $warnings .= "WARNING: SID $sid depends on flowbit \"$depend_bit\" "; + if (exists($$rh_ref{flowbits_inactive_set}{$depend_bit})) { + my $depend_sid = $$rh_ref{flowbits_inactive_set}{$depend_bit}; + $warnings .= "which is set in INACTIVE SID $depend_sid ". + "(SID $sid is broken unless you also enable SID $depend_sid).\n"; + } else { + $warnings .= "which is not set in any rule\n"; + } + } + } + + if ($warnings) { + print STDERR "problems found:\n\n" unless ($config{quiet}); + print STDERR $warnings; + } else { + print STDERR "no problems found.\n" unless ($config{quiet}); + } +} + + + +sub parse_flowbits($ $ $) +{ + my $rh_ref = shift; + my $rule = shift; + my $sid = shift; + + + # Check if it's an active rule that sets (or toggles) any flowbits, + # or has an isset or isnotset check. + if ($rule !~ /^#/) { + my @fields = split(/\s*;\s*/, $rule); + foreach my $field (@fields) { + if ($field =~ /^flowbits\s*:\s*(?:set|toggle)\s*,\s*(.+)/) { + $$rh_ref{flowbits_active_set}{$1} = $sid; + } + if ($field =~ /^flowbits\s*:\s*isnotset\s*,\s*(.+)/) { + $$rh_ref{flowbits_check_dependency}{$sid} = $1; + } + if ($field =~ /^flowbits\s*:\s*isset\s*,\s*(.+)/) { + $$rh_ref{flowbits_check_dependency}{$sid} = $1; + } + } + } + + # Check if it's an inactive rule that sets (or toggles) any flowbits. + if ($rule =~ /^#/) { + my @fields = split(/\s*;\s*/, $rule); + foreach my $field (@fields) { + if ($field =~ /^flowbits\s*:\s*(?:set|toggle)\s*,\s*(.+)/) { + $$rh_ref{flowbits_inactive_set}{$1} = $sid; + } + } + } +} + + # Catch SIGINT. sub catch_sigint() --- oinkmaster-2.0.orig/README +++ oinkmaster-2.0/README @@ -1,10 +1,10 @@ -# $Id: README,v 1.84 2006/01/28 22:11:12 andreas_o Exp $ # +# $Id: README,v 1.85 2006/10/12 08:55:47 andreas_o Exp $ # Introduction ~~~~~~~~~~~~ -Oinkmaster is written by Andreas Östling . +Oinkmaster is written by Andreas Östling . The homepage is at http://oinkmaster.sourceforge.net/ Oinkmaster is simple Perl script released under the BSD license that --- oinkmaster-2.0.orig/LICENSE +++ oinkmaster-2.0/LICENSE @@ -1,4 +1,4 @@ - Copyright (c) 2001-2005 Andreas Östling + Copyright (c) 2001-2005 Andreas Östling All rights reserved. Redistribution and use in source and binary forms, with or --- oinkmaster-2.0.orig/ChangeLog +++ oinkmaster-2.0/ChangeLog @@ -1,4 +1,36 @@ -# $Id: ChangeLog,v 1.186 2006/02/18 12:16:47 andreas_o Exp $ # +# $Id: ChangeLog,v 1.192 2008/02/18 19:41:04 andreas_o Exp $ # + +Oinkmaster v2.1 - 200xxxxx +~~~~~~~~~~~~~~~~~~~~~~~~~~ +o Flowbits dependency check is now performed on the downloaded rules + after being processed by Oinkmaster. You will get a warning message + if a rule has 'flowbits:set,...' or 'flowbits:isnotset,...' statements + for flowbits that are never set or toggled in any rule. If you get + warnings about flowbits dependency problems, you have to fix them + yourself. Flowbits check is suppressed when using -Q. +o Print message when URL is specified on both command line and in config + file (command line wins as usual) +o oinkmaster.pl and create-sidmap.pl: don't print dup warnings for + rules that are commented out (thanks to David J. Bianco) +o Updated the default example URLs in oinkmaster.conf to point to + more recent Snort versions and the Emerging Threats site. +o Set defaults for 'update_files' and 'path' in oinkmaster.pl + instead of in oinkmaster.conf. +o Write stats for matching 'localsid' statements just like the rest. +o Fixed a couple of minor sanity check bugs. +o Allow rules_dir to be set in Oinkmaster config file. This is the + directory in the downloaded rules archive where Oinkmaster will + search for the rules files. Default is the directory called "rules", + as that's where the normal rules usually are. This allows you to + update the shared object rules (so_rules) with Oinkmaster by + creating a separate oinkmaster.conf containing "rules_dir = so_rules". + Note that you can not set multiple directories so you have to run + Oinkmaster separately for each directory. Remember to point to + different output directories as the "rules" and "so_rules" + directories contains files with identical filenames. +o Updated my email address everywhere (now andreaso@andreaso.se). + + Oinkmaster v2.0 - 20060218 ~~~~~~~~~~~~~~~~~~~~~~~~~~ --- oinkmaster-2.0.orig/FAQ +++ oinkmaster-2.0/FAQ @@ -1,4 +1,4 @@ -# $Id: FAQ,v 1.48 2006/01/21 08:25:05 andreas_o Exp $ # +# $Id: FAQ,v 1.49 2008/02/18 19:39:18 andreas_o Exp $ # The must current version if this FAQ can be found @@ -67,7 +67,7 @@ a "#" in front of the rules. How do these changes become permanent? Q23: How do I update the rules from multiple sources, like the official - ones at www.snort.org and the ones at www.bleedingsnort.com? + ones at www.snort.org, the ones at www.emergingthreats.net? Q24: How do I know which rules to disable? @@ -97,6 +97,7 @@ Q33: Can I tell Oinkmaster to disable all rules by default, and only enable and update specific ones? +Q34: Can Oinkmaster update the shared object rules (so_rules)? -------------- @@ -134,7 +135,7 @@ Here is some more information about downloading Snort signatures. Oinkmaster can be used to update Snort signatures from many different places, like the official ones at www.snort.org or the - "Bleeding Snort" ones from www.bleedingsnort.com. Here follows + "Bleeding Snort" ones from www.emergingthreats.net. Here follows information about the official Snort signatures at www.snort.org Third party rules sources should have their own instructions. Remember that you should never ever update the Snort signatures @@ -682,7 +683,7 @@ Q23: How do I update the rules from multiple sources, like the official - ones at www.snort.org and the ones at www.bleedingsnort.com? + ones at www.snort.org, the ones at www.emergingthreats.net? A23: One way is to simply run Oinkmaster once for each URL and with different output directories. This way you don't have to worry @@ -787,11 +788,11 @@ #!/bin/sh - oinkmaster.pl -u http://www.bleedingsnort.com/... -o /etc/snort/rules/bleeding/ + oinkmaster.pl -u http://rules.emergingthreats.net/... -o /etc/snort/rules/emerging/ oinkmaster.pl -u http://www.snort.org/... -o /etc/snort/rules/official/ create-sidmap.pl /etc/snort/rules/official/ \ - /etc/snort/rules/bleeding/ \ + /etc/snort/rules/emerging/ \ /etc/snort/rules/local/ \ > /etc/snort/sid-msg.map @@ -918,3 +919,18 @@ rule you want to use, you must add an 'enablesid' statement for it as all added rules will be disabled by default. + + +Q34: Can Oinkmaster update the shared object rules (so_rules)? + +A34: Yes, but you have to run Oinkmaster separately with its own + configuration file. Copy your regular oinkmaster.conf file + to oinkmaster-so-rules.conf (or create a new one) and set + "rules_dir = so_rules". Then run Oinkmaster with + -C and use an output directory + (-o ) different than your regular rules directory. This is + important as the "rules" and "so_rules" directories contains + files with identical filenames. See the Snort documentation on how + to use shared object rules. The shared object rules are currently + disabled by default so you have to use "enablesid" or "modifysid" + to activate the ones you want to use. --- oinkmaster-2.0.orig/oinkmaster.1 +++ oinkmaster-2.0/oinkmaster.1 @@ -1,5 +1,5 @@ -.\" $Id: oinkmaster.1,v 1.26 2005/06/16 18:26:47 andreas_o Exp $ -.\" Copyright (c) 2004-2005 Andreas Ostling +.\" $Id: oinkmaster.1,v 1.27 2006/10/12 08:55:47 andreas_o Exp $ +.\" Copyright (c) 2004-2006 Andreas Ostling .\" .\" Command to generate the man page: groff -man -Tascii oinkmaster.1 .\" @@ -8,7 +8,7 @@ .B oinkmaster \- update Snort signatures .SH SYNOPSIS -.B oinkmaster.pl -o +.B oinkmaster -o .I outdir [options] .SH DESCRIPTION @@ -205,14 +205,14 @@ and put the new rules in /etc/rules/: .PP .nf -\fB oinkmaster.pl -o /etc/rules \fP +\fB oinkmaster -o /etc/rules \fP .fi .PP Grab rules archive from local filesystem and do not print anything unless it contains updated rules: .PP .nf -\fB oinkmaster.pl -u file:///tmp/rules.tar.gz -o /etc/rules -q \fP +\fB oinkmaster -u file:///tmp/rules.tar.gz -o /etc/rules -q \fP .fi .PP Download rules archive from default location, make backup of old rules if @@ -223,7 +223,7 @@ first encrypting the content.): .PP .nf -\fB oinkmaster.pl -o /etc/snort/rules -b /etc/snort/backup 2>&1 | \fP\\ +\fB oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 | \fP\\ \fB mail -s "subject" user@example.com .fi .PP @@ -232,7 +232,7 @@ /etc/snort/snort.conf: .PP .nf -\fB oinkmaster.pl -u file:///tmp/foo.rules.tar.gz \fP\\ +\fB oinkmaster -u file:///tmp/foo.rules.tar.gz \fP\\ \fB -u http://somewhere/rules.tar.gz -u https://blah/rules.tar.gz \fP\\ \fB -o /etc/rules -S snort.conf -S foo.conf -U /etc/snort/snort.conf .fi @@ -245,7 +245,7 @@ .PP .nf \fB TMP=`mktemp /tmp/oinkmaster.XXXXXX` && \fP\\ -\fB (oinkmaster.pl -C /etc/oinkmaster-global.conf \fP\\ +\fB (oinkmaster -C /etc/oinkmaster-global.conf \fP\\ \fB -C /etc/oinkmaster-sensor.conf -o /etc/rules \fP\\ \fB -U /etc/snort.conf \fP\\ \fB -u scp://user@example.com:/home/user/rules.tar.gz \fP\\ @@ -266,7 +266,7 @@ changed, it was rewritten to work with the official Snort rules and the new name became Oinkmaster. .SH AUTHOR -Andreas Ostling +Andreas Ostling .SH SEE ALSO The online documentation at http://oinkmaster.sf.net/ contains more information. --- oinkmaster-2.0.orig/oinkmaster.conf +++ oinkmaster-2.0/oinkmaster.conf @@ -1,12 +1,10 @@ -# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ # +# $Id: oinkmaster.conf,v 1.134 2008/02/18 19:33:45 andreas_o Exp $ # + # This file is pretty big by default, but don't worry. -# The only things required are "path" and "update_files". You must also -# set "url" to point to the correct rules archive for your version of -# Snort, unless you prefer to specify this on the command line. -# The rest in here is just a few recommended defaults, and examples -# how to use all the other optional features and give some ideas how they -# could be used. +# Everything in here is completely optional and the defaults +# should work for most people. The download URL of the rules +# archive must be set either in here or on the command line. # Remember not to let untrusted users edit Oinkmaster configuration # files, as things like the PATH to use during execution is defined @@ -30,17 +28,16 @@ # http://www.snort.org/rules/ and follow the instructions # there to pick the right URL for your version of Snort # (and remember to update the URL when upgrading Snort in the -# future). You can of course also specify locations to third party -# rules. +# future!). You can of course also specify locations to third party +# rules. You may specify multiple URLs. # # As of March 2005, you must register on the Snort site to get access # to the official Snort rules. This will get you an "oinkcode". # You then specify the URL as # http://www.snort.org/pub-bin/oinkmaster.cgi// # For example, if your code is 5a081649c06a277e1022e1284b and -# you use Snort 2.4, the url to use would be (without the wrap): -# http://www.snort.org/pub-bin/oinkmaster.cgi/ -# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz +# you use Snort 2.7, the url to use would be: +# http://www.snort.org/pub-bin/oinkmaster.cgi/5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.7.tar.gz # See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for # more information. @@ -48,17 +45,32 @@ # URL examples follows. Replace with the code you get on the # Snort site in your registered user profile. -# Example for Snort 2.4 -# url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-2.4.tar.gz +# VRT certified rules for registered users, Snort 2.9. +# url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-2.9.tar.gz + +# VRT certified rules for registered users, Snort 2.7. +# url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-2.7.tar.gz -# Example for Snort-current ("current" means cvs snapshots). +# VRT certified rules for registered users, Snort 2.8. +# url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-2.8.tar.gz + +# VRT certified rules for registered users, Snort-CURRENT +# ("CURRENT" here means experimental snapshots!). # url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-CURRENT.tar.gz -# Example for Community rules -# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz -# Example for rules from the Bleeding Snort project -# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz +# Community rules and Snort 2.4. +# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-2.4.tar.gz + +# Community rules for snort-CURRENT +# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz + + +# Example for rules from the Emerging Threats site (previously known as Bleeding Snort). +# url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz +# Old url: +# url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz + # If you prefer to download the rules archive from outside Oinkmaster, # you can then point to the file on your local filesystem by using @@ -86,8 +98,8 @@ # optional .exe suffix. If you're on Cygwin, make sure that the path # contains the Cygwin binaries and not the native Win32 binaries or # you will get problems. -# Assume UNIX style by default: -path = /bin:/usr/bin:/usr/local/bin +# The following UNIX style path is assumed by default: +# path = /bin:/usr/bin:/usr/local/bin # Example if running native Win32 or standalone Cygwin: # path = c:\oinkmaster;c:\oinkmaster\bin @@ -138,7 +150,7 @@ # All other files will be ignored. You can then choose to skip # individual files by specifying the "skipfile" keyword below. # Normally you shouldn't need to change this one. -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ +# update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ # Regexp of keywords that starts a Snort rule. @@ -172,6 +184,20 @@ # other than the default one for wget/LWP, set this variable. # user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) +# The normal Snort rules usually resides in a directory called +# "rules" in the downloaded archive. You can tell Oinkmaster to +# look in another directory by setting the rules_dir statement. +# This allows you to update the shared object rules (so_rules) with +# Oinkmaster by creating a separate oinkmaster.conf containing +# "rules_dir = so_rules". Note that you can not set multiple +# directories so you have to run Oinkmaster separately for each +# directory. Remember to point to different output directories as +# the "rules" and "so_rules" directories contains files with +# identical filenames. +# To update the shared object rules, use: +# rules_dir = so_rules +# The default is to update the normal rules: +# rules_dir = rules # You can include other files anywhere in here by using # "include ". will be parsed just like a regular @@ -286,6 +312,9 @@ # (alert, log, pass, etc). # modifysid 1325 "^#" | "" +# Example to enable ALL rules in ALL files (usually not a good idea). +# modifysid * "^#" | "" + # Example to add "tag" stuff to SID 1325. # modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;" --- oinkmaster-2.0.orig/debian/dirs +++ oinkmaster-2.0/debian/dirs @@ -0,0 +1,4 @@ +usr/sbin +usr/share/doc/oinkmaster +usr/share/oinkmaster +etc/ --- oinkmaster-2.0.orig/debian/docs +++ oinkmaster-2.0/debian/docs @@ -0,0 +1,5 @@ +FAQ +README +README.gui +README.templates +UPGRADING --- oinkmaster-2.0.orig/debian/rules +++ oinkmaster-2.0/debian/rules @@ -0,0 +1,64 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Oinkmaster's debian/rules +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + + +build: + dh_testdir + touch build-stamp + +clean: + dh_testdir + dh_testroot + dh_clean + rm -f build-stamp configure-stamp + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + install -m 755 oinkmaster.pl debian/oinkmaster/usr/sbin/oinkmaster + install -m 640 oinkmaster.conf debian/oinkmaster/etc/ + install -m 755 contrib/* debian/oinkmaster/usr/share/oinkmaster/ + -rm -f debian/oinkmaster/usr/share/oinkmaster/README* + +binary-arch: build install + +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs contrib/README.contrib + dh_installexamples template-examples.conf +# dh_install +# dh_installdebconf +# dh_installcron + dh_installman oinkmaster.1 + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- oinkmaster-2.0.orig/debian/copyright +++ oinkmaster-2.0/debian/copyright @@ -0,0 +1,43 @@ +This package was debianized by Javier Fernandez-Sanguino Pen~a + on Mon, 13 Sep 2004 16:15:26 +0200. + +It was downloaded from http://prdownloads.sourceforge.net/oinkmaster/ + +Upstream Author: Andreas Ostling + +Copyright: + + Copyright (c) 2001-2008 Andreas Ostling + All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, are permitted provided that the following + conditions are met: + + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + 3. Neither the name of the author nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- oinkmaster-2.0.orig/debian/README.Debian +++ oinkmaster-2.0/debian/README.Debian @@ -0,0 +1,22 @@ +oinkmaster for Debian +--------------------- + +There is currently no automatic mechanism in place to update the Snort +signatures through Cron. If you wish to enable such a mechanism you'll +have to write it yourself. + +Note that oinkmaster will not auto-detect the Snort version you are using, +since Snort rules do not specify the version you should be careful and +review which ruleset is being downloaded before activating such a task. +The default configuration for oinkmaster uses the latests Snort Debian +release available. + +The default Debian configuration only allows root to download the rulesets +by using /var/run/oinkmaster and restricting permissions in that directory. +$TMP or /tmp are not used in order to avoid symlink attacks. It also avoids +the use of external binaries so that system() calls are also avoided, you +will need to install some additional Perl libraries (included in the +following packages: libio-zlib-perl, libwww-perl, libarchive-tar-perl) + + + -- Javier Fernandez-Sanguino Pen~a , Mon, 13 Sep 2004 16:15:26 +0200 --- oinkmaster-2.0.orig/debian/control +++ oinkmaster-2.0/debian/control @@ -0,0 +1,23 @@ +Source: oinkmaster +Section: admin +Priority: optional +Maintainer: Javier Fernández-Sanguino Peña +Build-Depends: debhelper (>= 4.0.0) +Standards-Version: 3.6.0 +Homepage: http://oinkmaster.sourceforge.net/ +Vcs-Browser: http://oinkmaster.cvs.sourceforge.net/oinkmaster/oinkmaster/ +Vcs-Cvs: :pserver:anonymous@oinkmaster.cvs.sourceforge.net:/cvsroot/oinkmaster oinkmaster + +Package: oinkmaster +Architecture: all +Depends: perl (>= 5.6.1), libio-zlib-perl, libwww-perl, libarchive-tar-perl +Recommends: wget +Provides: snort-rules +Description: Snort rules manager + A simple script to manage and update Snort rules with the + capability of disabling, modifying and enabling specific + rules after an update. Oinkmaster will tell you exactly what + has changed since your last update, giving you good + control of your rules. It also can be used to manage updates + from both the official provider (www.snort.org) and from + other rulesets (www.emergingthreats.net) --- oinkmaster-2.0.orig/debian/changelog +++ oinkmaster-2.0/debian/changelog @@ -0,0 +1,86 @@ +oinkmaster (2.0-4) unstable; urgency=low + + * debian/control: + - Update maintainer's address + - Promote www.emergingthreats.net since it has replaced Bleeding Snort + and is actively maintained as of today + * FAQ: reference to www.emergingthreats.net since it has replaced + www.bleedingthreats.net as well as 'Bleeding Snort' + * oinkmaster.conf: Add some examples with the latest Snort version and fix the + "old" URL for Bleeding Snort (Closes: 684237) + + -- Javier Fernández-Sanguino Peña Wed, 08 Aug 2012 02:26:20 +0200 + +oinkmaster (2.0-3) unstable; urgency=low + + * Update with content from upstream's CVS: + - oinkmaster.conf: Remove obsolete URLs and provide urls to VRT + certified rules and Emerging Threats rules. (Closes: 456243) + - oinkmaster.pl, create-sidmap.pl: new features + - Update of upstream's e-mail address in several documentation. + * debian/rules: + - Do not install debian/oinkmaster.conf but install upstream's + instead. + * debian/oinkmaster.conf: removed, use upstream's instead. The + configuration file now ships with everything commented out as it + requires changes for every enviornment. The previous values sets + are now the default in the script. + * debian/dirs, debian/rules: do not create /var/run/oinkmaster + * With the above changes, the temporary directory used now is based + on the user's environment (TMPDIR, TMP) or defaults to /tmp. This is the + default, and has been enabled after reviewing the code of oinkmaster.pl and + making sure that this (hopefully) does not open up temporary race condition + security bugs. + Now /var/run/oinkmaster is no longer used, which prevents using + due to the use of tmpfs in /var/run (Closes: 519804) (LP: #331853) + * debian/control: + - Move homepage to header + - Add Vcs-Cvs and Vcs-Browse headers information + * Change the Debian maintainer's upstream email address in + debian files. + * debian/compat: Change to compatibility version 5 + + -- Javier Fernandez-Sanguino Pen~a Thu, 28 Oct 2010 00:03:45 +0200 + +oinkmaster (2.0-2) unstable; urgency=low + + * Added watch file provided by Raphael Geissert (Closes: #449731) + + -- Javier Fernandez-Sanguino Pen~a Sun, 02 Dec 2007 16:53:00 +0100 + +oinkmaster (2.0-1) unstable; urgency=low + + * New upstream release. + + -- Javier Fernandez-Sanguino Pen~a Sun, 23 Apr 2006 23:12:30 +0200 + +oinkmaster (1.2-1) unstable; urgency=low + + * New upstream release + - The configuration file now provides proper URLs to download either the + Snort Community Rules or registered Snort rules (Closes: #305048) + * Package Provides: snort-rules (CloseS: #276609) + + -- Javier Fernandez-Sanguino Pen~a Sun, 24 Apr 2005 02:04:11 +0200 + +oinkmaster (1.1-1) unstable; urgency=low + + * New upstream release. + - Install new README.templates documentation and templates-example.conf + example + * Install the contributed scripts in /usr/share/oinkmaster + + -- Javier Fernandez-Sanguino Pen~a Tue, 22 Feb 2005 00:04:04 +0100 + +oinkmaster (1.0-1) unstable; urgency=low + + * Initial Release (#219996). This is needed for the release since + there is currently no mechanism to update Snort's ruleset + * Provide a custom configuration file, it is somewhat restricted + so that only root will be able to download new rules under + /var/run/oinkmaster, it will use Perl's implementations of libraries + to avoid system calls to wget/tar/gzip + * Updated ruleset location to 2.2 + + -- Javier Fernandez-Sanguino Pen~a Mon, 13 Sep 2004 16:15:26 +0200 + --- oinkmaster-2.0.orig/debian/watch +++ oinkmaster-2.0/debian/watch @@ -0,0 +1,4 @@ +# Watch file for oinkmaster +# Site Directory Pattern Version Script +version=3 +http://sf.net/oinkmaster/oinkmaster-(.*)\.tar\.gz debian uupdate --- oinkmaster-2.0.orig/debian/compat +++ oinkmaster-2.0/debian/compat @@ -0,0 +1 @@ +5 --- oinkmaster-2.0.orig/contrib/create-sidmap.pl +++ oinkmaster-2.0/contrib/create-sidmap.pl @@ -1,8 +1,8 @@ #!/usr/bin/perl -w -# $Id: create-sidmap.pl,v 1.21 2005/12/31 13:42:46 andreas_o Exp $ # +# $Id: create-sidmap.pl,v 1.23 2006/10/12 08:57:26 andreas_o Exp $ # -# Copyright (c) 2004-2006 Andreas Östling +# Copyright (c) 2004-2006 Andreas Östling # All rights reserved. # # Redistribution and use in source and binary forms, with or @@ -94,15 +94,16 @@ my @file = ; close(FILE); - my ($single, $multi, $nonrule, $msg, $sid); + my ($single, $multi, $nonrule, $msg, $sid, %old_sids); while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { if (defined($single)) { warn("WARNING: duplicate SID: $sid (discarding old)\n") - if (exists($sidmap{$sid})); + if (exists($old_sids{$sid}) && ($single !~ /^#/ && $old_sids{$sid} !~ /^#/)); $sidmap{$sid} = "$sid || $msg"; + $old_sids{$sid} = $single; # Print all references. Borrowed from Brian Caswell's regen-sidmap script. my $ref = $single; --- oinkmaster-2.0.orig/contrib/README.contrib +++ oinkmaster-2.0/contrib/README.contrib @@ -1,7 +1,7 @@ -# $Id: README.contrib,v 1.21 2005/10/18 10:41:20 andreas_o Exp $ # +# $Id: README.contrib,v 1.22 2006/10/12 08:57:26 andreas_o Exp $ # ------------------------------------------------------------------------------- -* oinkgui.pl by Andreas Östling +* oinkgui.pl by Andreas Östling A graphical front-end to Oinkmaster written in Perl/Tk. See README.gui for complete documentation. @@ -10,7 +10,7 @@ ------------------------------------------------------------------------------- -* addsid.pl by Andreas Östling +* addsid.pl by Andreas Östling A script that parses *.rules in all specified directories and adds a SID to (active) rules that don't have any. (Actually, rev and classtype @@ -24,7 +24,7 @@ ------------------------------------------------------------------------------- -* create-sidmap.pl by Andreas Östling +* create-sidmap.pl by Andreas Östling A script that parses all active rules in *.rules in all specified directories and creates a SID map. (Like Snort's regen-sidmap, but this @@ -36,7 +36,7 @@ ------------------------------------------------------------------------------- * makesidex.pl, originally by Jerry Applebaum but later rewritten by - Andreas Östling to handle multi-line rules and + Andreas Östling to handle multi-line rules and multiple rules directories. It reads *.rules in all specified directories, looks for all disabled @@ -48,7 +48,7 @@ ------------------------------------------------------------------------------- -* addmsg.pl by Andreas Östling : +* addmsg.pl by Andreas Östling : A script that will parse your oinkmaster.conf for localsid/enablesid/disablesid lines and add their rule message as a #comment. --- oinkmaster-2.0.orig/contrib/makesidex.pl +++ oinkmaster-2.0/contrib/makesidex.pl @@ -1,8 +1,8 @@ #!/usr/bin/perl -w -# $Id: makesidex.pl,v 1.11 2005/12/31 13:42:46 andreas_o Exp $ # +# $Id: makesidex.pl,v 1.12 2006/10/12 08:57:26 andreas_o Exp $ # -# Copyright (c) 2004-2006 Andreas Östling +# Copyright (c) 2004-2006 Andreas Östling # All rights reserved. # # Redistribution and use in source and binary forms, with or --- oinkmaster-2.0.orig/contrib/oinkgui.pl +++ oinkmaster-2.0/contrib/oinkgui.pl @@ -1,8 +1,8 @@ #!/usr/bin/perl -w -# $Id: oinkgui.pl,v 1.52 2005/12/31 13:42:46 andreas_o Exp $ # +# $Id: oinkgui.pl,v 1.53 2006/10/12 08:57:26 andreas_o Exp $ # -# Copyright (c) 2004-2006 Andreas Östling +# Copyright (c) 2004-2006 Andreas Östling # All rights reserved. # # Redistribution and use in source and binary forms, with or --- oinkmaster-2.0.orig/contrib/addsid.pl +++ oinkmaster-2.0/contrib/addsid.pl @@ -1,8 +1,8 @@ #!/usr/bin/perl -w -# $Id: addsid.pl,v 1.30 2005/12/31 13:42:46 andreas_o Exp $ # +# $Id: addsid.pl,v 1.31 2006/10/12 08:57:26 andreas_o Exp $ # -# Copyright (c) 2004-2006 Andreas Östling +# Copyright (c) 2004-2006 Andreas Östling # All rights reserved. # # Redistribution and use in source and binary forms, with or --- oinkmaster-2.0.orig/contrib/addmsg.pl +++ oinkmaster-2.0/contrib/addmsg.pl @@ -1,8 +1,8 @@ #!/usr/bin/perl -w -# $Id: addmsg.pl,v 1.19 2005/12/31 13:42:46 andreas_o Exp $ # +# $Id: addmsg.pl,v 1.20 2006/10/12 08:57:26 andreas_o Exp $ # -# Copyright (c) 2004-2006 Andreas Östling +# Copyright (c) 2004-2006 Andreas Östling # All rights reserved. # # Redistribution and use in source and binary forms, with or