Re: instant snort sigs for new vulnerabilites

[Steve Francis <sfrancis () expertcity com>]

I have this called from cron:
#Update rules
cd /tmp
rm -rf rules
/usr/local/bin/wget http://www.snort.org/downloads/snortrules.tar.gz
tar -xzf snortrules.tar.gz
rm snortrules.tar*
mv /tmp/rules/*.rules /usr/local/share/snort

# Restart snort (doing it with stop/start restarts the snort-NNNN () NNNN log
# file).
       /usr/local/etc/rc.d/snort.sh stop >/dev/null
       if [ -d $ARCHIVE ]; then
               cd $SNORTLOG
               mv *-snort.log $ARCHIVE
       fi
       /usr/local/etc/rc.d/snort.sh start >/dev/null

twig les wrote:

> That's a good idea for a quick script that I should
> have had done months ago.  As soon as I put out the
> lastest mystery fire I'll see if I can get a
> reasonable little Lynx-based cronjob.
>
>
> --- Steve McGhee <stevem () lmri ucsb edu> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > with all the fuss lately over the new apache worm,
> > etc, id like to know
> > if my machine is getting hit (its patched, just
> > being curious). i know
> > about mod_blowchunks, but im looking for something
> > more general..
> >
> > it seems to me that snort could see these attacks
> > pretty easily.
> >
> > is there a tool/method out there that will retrieve
> > the *latest* snort
> > signatures automatically? for those of us not
> > running snort via CVS, id
> > like a way to do something like cvsup, but _only_
> > update my ruleset
> > every night or whatever.
> >
> > i cc: the freebsd team as this might be a cool
> > (simple) port. (something
> > like /usr/ports/security/snort-signatures)
> >
> > this could be helpful to people who are just
> > curious, or maybe could
> > provide some good numbers to shock lazy sysadmins
> > into actually patching
> > their machines.
> >
> >
> > ..of course, this is all assuming there's someone
> > out there writing
> > signatures  ;)
> >
> > - --
> > - -steve
> >
> > ~ 
> ..........................................................
>
> > ~        Steve McGhee
> > ~        Systems Administrator
> > ~        Linguistic Minority Research Institute
> > ~        UC Santa Barbara
> > ~        phone: (805)893-2683
> > ~        email: stevem () lmri ucsb edu
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.8
> > Comment: Using PGP with Mozilla -
> > http://enigmail.mozdev.org
> iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns
>
> > BcxrxnUpvAJK3Sczy5nY4Ir5
> > =9LCO
> > -----END PGP SIGNATURE-----
> >
> >
> > To Unsubscribe: send mail to majordomo () FreeBSD org
> > with "unsubscribe freebsd-security" in the body of
> > the message
>
>
> =====
> -----------------------------------------------------------
> Only fools have all the answers.
> -----------------------------------------------------------
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> To Unsubscribe: send mail to majordomo () FreeBSD org
> with "unsubscribe freebsd-security" in the body of the message