[3.0] oinktools - add, search and disable SNORT rules

Our mods for Smoothwall Express v3 are available and supported here.

Moderator: Forum Moderators

oinktools rating:

Excellent!
1
100%
Very Good
0
No votes
Good
0
No votes
Fair
0
No votes
Poor
0
No votes
 
Total votes : 1

[3.0] oinktools - add, search and disable SNORT rules

Postby wkitty42 » Thu Oct 04, 2007 6:01 pm

[3.0] oinktools - add, search and disable SNORT rules


NOTE: This mod is being merged with the GAR (aka Guardian Active Response) mod. Time of completion for this merging is not yet known.

:arrow: What is the oinktools mod for?

This is a tool to allow you to disable, enable or modify SNORT SIDs as well as being able to add your own custom rules to SNORT. This mod includes a search function that allows you to search the sid-msg.map file for a phrase or SID. This search is needed because the Smoothwall3 IDS Logs page doesn't list the SID but it does give the rule's description. Once you locate the description, then you can create a disablesid, enablesid or modifysid rule for oinkmaster to implement when it runs and/or updates your SNORT rules. The sid-msg.map file is created/updated each time you run oinkmaster from the GUI. If you need to create/update sid-msg.map without running oinkmaster, the command line tool make-sidmap.pl is provided.

:arrow: What does this mod do?

Oinktools takes text entries from the oinktools gui page and writes them to the needed files for OINKMaster and SNORT to recognize and use. No more having to go digging about in the .rules files trying to hunt down the SID for a rule you want to disable!

:arrow: Changes

1. Oct 3, 2007 v0.1b initial announcement.
2. Oct 4, 2007 v0.1b released.
3. Nov 29, 2007 v0.2 released.
4. Nov 30, 2007 v0.2a released.

_________________________________________________________________________________________

:arrow: Prerequisites

The only prerequisite for oinktools is to have a version of SmoothWall 3.0 installed.

:arrow: Standard disclaimer

This mod is distributed under the terms of the GNU GPL. Therefore, it is free to use and distribute as you see fit. However, I cannot be held responsible for any untoward events that may occur with the use of this mod, including but not limited to: Loss of data, client privacy issues, breaking your SmoothWall, etc.

:arrow: Installation:

:!: Remember, it is never a bad idea to back up your original files on your own before installation. The installation script will backup all original files for you, but doing it yourself is also a good idea.

1. Get the tarball here:
oinktools-0.2a.tgz

2. Copy the tarball into your SmoothWall /tmp directory using SCP.

3. Using PuTTy or at the console cd to the /tmp directory and type
Code: Select all
tar -zxvf oinktools-0.2a.tgz -C /

to extract the archive. Then install the mod by typing
Code: Select all
/var/smoothwall/mods/oinktools/install.pl

Go to the SmoothWall web gui and click on "tools". You will now see a tab for "oinktools". Click on it to access the oinktools gui. Just click on the "help" tab for a wealth of information and help.

:arrow: Using oinktools:

1. Search for the phrase to find the SID.

2. Create the disablesid, enablesid or modifysid rules you need.

3. Save the updated file.

4. Run OINKMaster and reload SNORT.

5. Same basic procedures for creating or editing your own rules in local.rules.

6. Make sure you have all your rules in place and have clicked on the 'SAVE' option before you click on any other buttons. You could loose some work if you try another search before saving the files.

7. Make sure that you use the 'Run OINKMaster and Reload SNORT' button to activate your changes and additions.

:arrow: Updating oinktools

1. There should be no need to uninstall the previous version of oinktools. The new version's installation script will remove it for you. Just follow the installation instructions above.

:arrow: Uninstalling oinktools:

If you should wish to uninstall oinktools v0.2a, go to the command prompt and type
Code: Select all
/var/smoothwall/mods/oinktools/uninstall-v0.2a.pl

and oinktools will be removed and all original files restored.

:arrow: Files added with installation of this mod:
/httpd/cgi-bin/oinktools.cgi
/httpd/html/help/oinktools.cgi.html.en
/usr/lib/smoothwall/menu/6000_Tools/4000_oink.list
/var/smoothwall/snort/rules/local.rules
/var/smoothwall/snort/oinktools.conf
/usr/local/sbin/create-sidmap.pl
/usr/local/sbin/make-sidmap.pl


:arrow: Files changed with installation of this mod:
/usr/lib/smoothwall/langs/base.pl
/usr/lib/smoothwall/langs/alertboxes.base.pl
/usr/lib/smoothwall/oinkmaster.conf
/etc/snort.conf


:arrow: Screenies:
Image

:arrow: Known issues

  • The previous issue of missing sid-msg.map should now be resolved. (v0.2)
  • The previous issue of creating a zero byte sid-msg.map should now be resolved. (v0.2a)
  • The [Run Oinkmaster and reload SNORT] button is hard coded for snort version 2.4.
      Line 118 in oinktools.cgi needs to be edited to reflect 2.8 in the snapshot filename.
      This will be taken care of when the final merge of this mod to the GAR mod is completed.
      At that time, just as the GAR mod does on the ids.cgi page, the GUI will query snort for
      its version and use that. (v0.2a)
  • There are no other known issues at this time.

:arrow: Thank you!

1. To the SmoothWall team for creating SmoothWall.

2. To Tiago and NetWhiz for creating the MOD PACK system that makes mod installation and uninstallation a nearly painless process.

3. To the SNORT and OINKMaster Teams for their creations and all the hard work they put in maintaining them for us to protect our systems with.

4. To s-t-p. Without his work on the crontool mod, I'd not have had as easy a starting point to begin from. ;)
You do not have the required permissions to view the files attached to this post.
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

Return to SWE3 Mods

Who is online

Users browsing this forum: CommonCrawl [Bot] and 0 guests