SNORT - The Easy Tutorial - The Bleegindsnort Rules

Snort Bleeding
Last update: 24-Apr-2007 english flag

Tool
Install
Ergonomy
Forum

Details What is Snort ?
Screenshots
Prerequisites
Snort
BASE
Update Snort
Bleedingsnort Rules
Port Mirroring

THE BLEEDING SNORT RULES

You can use another set of rules for snort made by a free and dynamic community:
http://www.bleedingsnort.com
The difference with the snort rules made by sourcefire is that you can get the rules for free immediately after their releases.

Another good news is that you can use the oinkmaster perl script to downlaod and update the bleeding rules.

Open /etc/oinkmaster.conf and add the following line to update the rules:

url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
We then need to add the following lines inside /etc/snort/snort.conf

include $RULE_PATH/bleeding.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules

They indicate which rules will be used. If you add a "#" at the beginning of certain chosen lines, the corresponding rules will not be used. Running the oinkmaster script will download the bleeding rules and tell you if there is a problem:

#su oinkmaster
#oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1