Archive for June, 2010

Using Bleedingsnort Rules for the Impatient

This is a sample Oinkmaster Oinkmaster-bleedingsnort.conf for use with the Bleeding Snort Ruleset.

———–
url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz
path = /bin:/usr/bin:/usr/local/bin
tmpdir = /tmp
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
skipfile local.rules

———–

Then run oinkmaster like so:
oinkmaster.pl -q -C Oinkmaster-bleedingsnort.conf -o ./rules

Adjust ./rules to be your rules dir of course.

Add these lines to your snort.conf:

include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-attack-response.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-custom.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-exploit.rules

include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-web.rules

or just:
include $RULE_PATH/bleeding-all.rules

And finally, only if you are using Barnyard or some other tool that relies on a sid-msg.map you need to add the bleedingsnort map to the stock file like so:
cp sid-msg.map sid-msg.map.orig
cat bleeding-sid-msg.map sid-msg.map.orig | sort -u > sid-msg.map
And you’re ready to go!!!

How to Submit a Signature or Idea

The Bleeding Snort community is always soliciting new signatures and ideas. Regardless of the maturity or sanity of an idea or signature, please submit them.

You can submit signatures directly to the Bleeding Snort Team at bleeding@bleedingsnort.com. (Please avoid sending directly to an individual admin. If they happen to be offline or out your sig may be delayed.)

The forums on this site are a medium to bring up and discuss new ideas.

We also monitor the Snort-Sigs list maintained at www.snort.org, as well as a number of other mediums.