Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics

Help us translate
our tutorials!

JOIN the
OpenManiak Team.
Blaise Carrera
Tutorials creation:
Blaise Carrera
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Blaise Carrera
OINKMASTER - The Easy Tutorial - Tutorial

Snort Oinkmaster
Last Change : Jun 25 2007 french flagenglish flag


Details What is Snort ?
Update Snort
Bleedingsnort Rules
Port Mirroring

Please check our website about
attractions in Western Switzerland !! (Please use english translation).

Merci de consulter notre site sur les
activités à faire en Suisse romande !!

Once Snort is installed, It is required to install the Snort signature rules and keep them up-to-date.
By chance, there is a perl script that will give us some precious help: Oinkmaster.

#apt-get install oinkmaster
Install or update the rules.

To downlaod the Snort rules, we need to create a free account on the Snort website.
The Snort rules are made by Sourcefire and you can get them for free a few days after the commercial subscription release.

Once you are logged into your Snort account, you can get a code at the bottom of the page.

site web snort code oinkmaster

We need this code in the /etc/oinkmaster.conf file.

You need first to know which Snort version you have:

# snort -V
which generates the following output on our test machine:

,,_ -*> Snort! <*-
o" )~ Version 2.3.2 (Build 12)
'''' By Martin Roesch & The Snort Team:
(C) Copyright 1998-2004 Sourcefire Inc., et al.

Modify the "url" settings in the /etc/oinkmaster.conf file as below:

url =
This will download the snortrules-snapshot-2.3.tar.gz file. The version number in the file name changes depending on the Snort version you have. (2.0, 2.1, 2.2, 2.3, 2.4)

If you have a 2.6.x Snort version, you need to configure the "url" setting as below:

url =
Let's create a backup folder.

#mkdir /etc/snort/backup
Let us now update the rules. We must be careful not to run oinkmaster as root particularly if your are not in a test environment.
So let's add a user called oinkmaster.

#useradd oinkmaster
Change some permissions to let oinkmaster user run the oinkmaster software:

#chown -R oinkmaster /etc/snort/backup
#chown -R oinkmaster /etc/snort/rules
#chown -R oinkmaster /var/run/oinkmaster
#chmod 644 /etc/snort/snort.conf
Now, it's time to test the oinkmaster perl script under the oinkmaster user.

#su oinkmaster
oinkmaster#oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1
The last instruction means that we call the oinkmaster perl script, we put the new rules in the /etc/snort/rules folder and if there is a change in the new rules, the current /etc/snort/rules will be backed up in the /etc/snort/backup folder.

Here is a example of our backup folder after running oinkmaster:

#dir /etc/snort/backup

The crontab

Since we are quite lazy, we don't want to manually run this script every day.
A little cron will help us.

crontab -e -u oinkmaster
30 00 * * * oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 >> /dev/null 2>&1
This will update the rules each day at 00:30
(The crontab command will update the /var/spool/cron/crontabs/oinkmaster file)

crontab -e will open nano by default. If you want to open vi instead just type:
#export EDITOR=vi