From: Jason Ish Date: Fri, 6 Sep 2019 15:32:04 +0000 (-0600) Subject: userguide: remove section on using Oinkmaster X-Git-Tag: suricata-5.0.0-rc1~77 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bb07b550c1f00a95e6803aba7cdeb22d637fbc2;p=thirdparty%2Fsuricata.git userguide: remove section on using Oinkmaster Users should be using Suricata-Update now. --- diff --git a/doc/userguide/rule-management/index.rst b/doc/userguide/rule-management/index.rst index d97888cca1..b38ee566a5 100644 --- a/doc/userguide/rule-management/index.rst +++ b/doc/userguide/rule-management/index.rst @@ -4,6 +4,5 @@ Rule Management .. toctree:: suricata-update - oinkmaster adding-your-own-rules rule-reload diff --git a/doc/userguide/rule-management/oinkmaster.rst b/doc/userguide/rule-management/oinkmaster.rst deleted file mode 100644 index 4a4b3debd3..0000000000 --- a/doc/userguide/rule-management/oinkmaster.rst +++ /dev/null @@ -1,189 +0,0 @@ -Rule Management with Oinkmaster -=============================== - -.. note:: ``suricata-update`` is the official and recommended way to - update and manage rules and rulesets. See :doc:`suricata-update` - -It is possible to download and install rules manually, but there is a -much easier and quicker way to do so. There are special programs which -you can use for downloading and installing rules. There is for example -`Pulled Pork `_ and -`Oinkmaster `_. In this documentation -the use of Oinkmaster will be described. - -To install Oinkmaster, enter: - -:: - - sudo apt-get install oinkmaster - -There are several rulesets. There is for example Emerging Threats (ET) -Emerging Threats Pro and VRT. In this example we are using Emerging -Threats. - -Oinkmaster has to know where the rules an be found. These rules can be found at: - -:: - - https://rules.emergingthreats.net/open/suricata-3.2/emerging.rules.tar.gz - -open oinkmaster.conf to add this link by entering: - -:: - - sudo nano /etc/oinkmaster.conf - -Place a # in front of the url that is already there and add the new url like this: - -.. image:: oinkmaster/oinkmasterconf.png - -(Close oinkmaster.conf by pressing ctrl x, followed by y and enter. ) - -The next step is to create a directory for the new rules. Enter: - -:: - - sudo mkdir /etc/suricata/rules - - -Next enter: - -:: - - cd /etc - sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules - -In the new rules directory a classification.config and a -reference.config can be found. The directories of both have to be -added in the suricata.yaml file. Do so by entering: - -:: - - sudo nano /etc/suricata/suricata.yaml - -And add the new file locations instead of the file locations already -present, like this: - -.. image:: oinkmaster/suricata_yaml.png - -To see if everything works as pleased, run Suricata: - -:: - - suricata -c /etc/suricata/suricata.yaml -i wlan0 (or eth0) - -You will notice there are several rule-files Suricata tries to load, -but are not available. It is possible to disable those rule-sets in -suricata.yaml by deleting them or by putting a # in front of them. To -stop Suricata from running, press ctrl c. - -Emerging Threats contains more rules than loaded in Suricata. To see -which rules are available in your rules directory, enter: - -:: - - ls /etc/suricata/rules/*.rules - -Find those that are not yet present in suricata.yaml and add them in -yaml if desired. - -You can do so by entering : - -:: - - sudo nano /etc/suricata/suricata.yaml - -If you disable a rule in your rule file by putting a # in front of it, -it will be enabled again the next time you run Oinkmaster. You can -disable it through Oinkmaster instead, by entering the following: - -:: - - cd /etc/suricata/rules - -and find the sid of the rule(s) you want to disable. - -Subsequently enter: - -:: - - sudo nano /etc/oinkmaster.conf - -and go all the way to the end of the file. -Type there: - -:: - - disablesid 2010495 - -Instead of 2010495, type the sid of the rule you would like to -disable. It is also possible to disable multiple rules, by entering -their sids separated by a comma. - -If you run Oinkmaster again, you can see the amount of rules you have -disabled. You can also enable rules that are disabled by default. Do -so by entering: - -:: - - ls /etc/suricata/rules - -In this directory you can see several rule-sets -Enter for example: - -:: - - sudo nano /etc/suricata/rules/emerging-malware.rules - -In this file you can see which rules are enabled en which are not. -You can not enable them for the long-term just by simply removing -the #. Because each time you will run Oinkmaster, the rule will be -disabled again. Instead, look up the sid of the rule you want to -enable. Place the sid in the correct place of oinkmaster.config: - -:: - - sudo nano /etc/oinkmaster.conf - -do so by typing: - -:: - - enablesid: 2010495 - -Instead of 2010495, type the sid of the rule you would like to to -enable. It is also possible to enable multiple rules, by entering -their sids separated by a comma. - -In oinkmaster.conf you can modify rules. For example, if you use -Suricata as inline/IPS and you want to modify a rule that sends an -alert when it matches and you would like the rule to drop the packet -instead, you can do so by entering the following: - -:: - - sudo nano oinkmaster.conf - -At the part where you can modify rules, type: - -:: - - modifysid 2010495 "alert" | "drop" - -The sid 2010495 is an example. Type the sid of the rule you desire to -change, instead. - -Rerun Oinkmaster to notice the change. - -Updating your rules -~~~~~~~~~~~~~~~~~~~ - -If you have already downloaded a ruleset (in the way described in this -file), and you would like to update the rules, enter: - -:: - - sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules - -It is recommended to update your rules frequently. Emerging Threats is -modified daily, VRT is updated weekly or multiple times a week. diff --git a/doc/userguide/rule-management/oinkmaster/oinkmasterconf.png b/doc/userguide/rule-management/oinkmaster/oinkmasterconf.png deleted file mode 100644 index 6f8545519c..0000000000 Binary files a/doc/userguide/rule-management/oinkmaster/oinkmasterconf.png and /dev/null differ diff --git a/doc/userguide/rule-management/oinkmaster/suricata_yaml.png b/doc/userguide/rule-management/oinkmaster/suricata_yaml.png deleted file mode 100644 index 3ae19b5412..0000000000 Binary files a/doc/userguide/rule-management/oinkmaster/suricata_yaml.png and /dev/null differ