Wednesday, August 04, 2004

Hints on Using Oinkmaster and Sguil

I released an updated Sguil Installation Guide today that shows how to replace the Snort stream4 keepstats-based session data collection system with John Curry's SANCP code. SANCP is a better option than stream4, as SANCP tracks not only TCP like stream4 but also UDP and ICMP. The flows are also easier to work with, since they tend to occupy single entries.

I've also been experimenting with the best way to use Oinkmaster with my preferred directory layouts. When Oinkmaster runs, it works in the directory specified. For example:

perl ./ -b /tmp -o /usr/local/etc/snort/rules
-C /usr/local/etc/snort/oinkmaster.conf

This syntax will tell Oinkmaster to place the files it manipulates in the /usr/local/etc/snort/rules directory. Besides the .rules files, this includes other important files:

-> classification.config
-> reference.config
-> threshold.conf

I like to keep these in /usr/local/etc/snort. To deal with this, I replaced these files in /usr/local/etc/snort with symlinks to the real files in /usr/local/etc/snort/rules:

orr:/usr/local/etc/snort# rm classification.config reference.config threshold.conf
orr:/usr/local/etc/snort# ln -s rules/classification.config classification.config
orr:/usr/local/etc/snort# ln -s rules/
orr:/usr/local/etc/snort# ln -s rules/reference.config reference.config
orr:/usr/local/etc/snort# ln -s rules/
orr:/usr/local/etc/snort# ln -s rules/threshold.conf threshold.conf
orr:/usr/local/etc/snort# ln -s rules/

This may seem a waste of time, but I have /usr/local/etc/snort coded into many of the Sguil config files as the location of these various .conf and .map configuration files.

1 comment:

Serg said...

The time is spent, but the system will be more protected