Keep your Snort rules up-to-date with Oinkmaster.

If you have only a handful of IDS sensors, keeping your Snort rules up-to-date is a fairly quick and easy process. However, as the number of sensors grows it can become more difficult. Luckily, you automatically update your Snort rules with Oinkmaster (http://oinkmaster.sourceforge.net/news.shtml).

Oinkmaster is a Perl script that does much more than just download new Snort rules. It will also modify the newly downloaded rules according to rules that you specify or selectively disable them, which is useful when you’ve modified the standard Snort rules to fit your environment more closely or have disabled a rule that was reporting too many false positives.

To install Oinkmaster, simply download the source distribution and unpack it. Then copy the oinkmaster.pl file from the directory that it creates to some suitable place on your system. In addition, you’ll need to copy the oinkmaster.conf file to either /etc or /usr/local/etc. The oinkmaster.conf that comes with the source distribution is full of comments explaining all the minute options that you can configure. Oinkmaster is most useful for when you want to update your rules but have a set of rules that you don’t want enabled and that are already commented out in your current Snort rules. To have Oinkmaster automatically disable these rules, use the disablesid directive with the Snort rule ID that you want disabled when your rules are updated. ...