原本用來擔任入侵偵測系統的主機,是透過 oinkmaster 來更新 Snort Rule,不過最近(其實應該有一段時間了,只是自己懶惰,沒有積極處理),常常會在信箱收到如下的錯誤訊息:
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2860.tar.gzResolving www.snort.org… 23.23.143.164
Connecting to www.snort.org|23.23.143.164|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2013-09-07 23:30:03 ERROR 403: Forbidden.
猜想可能是 Snort Rule 下載的路徑已經做了更改,所以登入 Snort 官方網站,終於找到了解決方式:[@more@]
修改 /etc/snort/oinkmaster.conf(路徑可能會依安裝的方式而有不同)
# vim /etc/snort/oinkmaster.conf
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here>/snortrules-snapshot-2931.tar.gz
紅字的部分就是 oinkcode 碼
進行測試
# /usr/local/bin/oinkmaster.pl -C /etc/snort/oinkmaster.conf -o /etc/snort/rules/
Loading /etc/snort/oinkmaster.conf
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2931.tar.gz…
…
…
…
-> protocol-ftp.rules
-> protocol-icmp.rules
-> protocol-imap.rules
-> protocol-nntp.rules
-> protocol-pop.rules
-> protocol-rpc.rules
-> protocol-scada.rules
-> protocol-services.rules
-> protocol-snmp.rules
-> protocol-telnet.rules
-> protocol-tftp.rules
-> protocol-voip.rules
-> pua-adware.rules
-> pua-other.rules
-> pua-p2p.rules
-> pua-toolbars.rules
-> server-apache.rules
-> server-iis.rules
-> server-mail.rules
-> server-mssql.rules
-> server-mysql.rules
-> server-oracle.rules
-> server-other.rules
-> server-samba.rules
-> server-webapp.rules
OK,收工了!