Snort mailing list archives
Re: instant snort sigs for new vulnerabilites
From: Steve Francis <sfrancis () expertcity com>
Date: Mon, 01 Jul 2002 16:38:31 -0700
I have this called from cron: #Update rules cd /tmp rm -rf rules /usr/local/bin/wget http://www.snort.org/downloads/snortrules.tar.gz tar -xzf snortrules.tar.gz rm snortrules.tar* mv /tmp/rules/*.rules /usr/local/share/snort # Restart snort (doing it with stop/start restarts the snort-NNNN () NNNN log # file). /usr/local/etc/rc.d/snort.sh stop >/dev/null if [ -d $ARCHIVE ]; then cd $SNORTLOG mv *-snort.log $ARCHIVE fi /usr/local/etc/rc.d/snort.sh start >/dev/null twig les wrote:
That's a good idea for a quick script that I should have had done months ago. As soon as I put out the lastest mystery fire I'll see if I can get a reasonable little Lynx-based cronjob. --- Steve McGhee <stevem () lmri ucsb edu> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 with all the fuss lately over the new apache worm, etc, id like to know if my machine is getting hit (its patched, just being curious). i know about mod_blowchunks, but im looking for something more general.. it seems to me that snort could see these attacks pretty easily. is there a tool/method out there that will retrieve the *latest* snort signatures automatically? for those of us not running snort via CVS, id like a way to do something like cvsup, but _only_ update my ruleset every night or whatever. i cc: the freebsd team as this might be a cool (simple) port. (something like /usr/ports/security/snort-signatures) this could be helpful to people who are just curious, or maybe could provide some good numbers to shock lazy sysadmins into actually patching their machines. ..of course, this is all assuming there's someone out there writing signatures ;) - -- - -steve~..........................................................~ Steve McGhee ~ Systems Administrator ~ Linguistic Minority Research Institute ~ UC Santa Barbara ~ phone: (805)893-2683 ~ email: stevem () lmri ucsb edu -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Using PGP with Mozilla - http://enigmail.mozdev.orgiQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoInsBcxrxnUpvAJK3Sczy5nY4Ir5 =9LCO -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo () FreeBSD org with "unsubscribe freebsd-security" in the body of the message===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo () FreeBSD org with "unsubscribe freebsd-security" in the body of the message
Current thread:
- instant snort sigs for new vulnerabilites Steve McGhee (Jul 02)
- Re: instant snort sigs for new vulnerabilites twig les (Jul 02)
- Re: instant snort sigs for new vulnerabilites Steve Francis (Jul 02)
- Re: instant snort sigs for new vulnerabilites Nick Zitzmann (Jul 02)
- Re: instant snort sigs for new vulnerabilites Erek Adams (Jul 03)
- Re: instant snort sigs for new vulnerabilites Stefan Dens (Jul 03)
- Re: instant snort sigs for new vulnerabilites Bennett Todd (Jul 03)
- <Possible follow-ups>
- re: instant snort sigs for new vulnerabilites Maarten (Jul 03)
- Re: re: instant snort sigs for new vulnerabilites Andreas Östling (Jul 03)
- Re: re: instant snort sigs for new vulnerabilites Maarten Hartsuijker (Jul 04)
- Re: re: instant snort sigs for new vulnerabilites Andreas Östling (Jul 03)
- RE: re: instant snort sigs for new vulnerabilites Hicks, John (Jul 03)
- Re: instant snort sigs for new vulnerabilites twig les (Jul 02)