Educause Security Discussion mailing list archives
Snort VRT rules
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Mon, 15 Jun 2009 11:17:12 +1200
Just an FYI and apologies for the cross posting As many of you are no doubt already well aware the snort rules snap shot file is now approaching 100MB and is very slow to down load. What you may not know is that now that the new snort web site is up the snapshot file is no longer being rebuilt every day so you can now rely on the http header stuff to decide whether or not to download the file. They also have md5 files which you can check if you are really don't trust the http headers. I am now using -N on wget and have drastically reduced the headaches in downloading the VRT rules. I have my own script that I use for downloading rule files and this now works happily with the new set up. I am happy to share this script if anyone is interested. It downloads and optionally unpacks tarballs. I use it since I have several sensors with different oinkmaster.confs and with the large files I unpack them as well - this speeds up the oinkmaster processing considerably. I am also hacking oinkmaster by adding a -k <keep-dir> which tells oinkmaster to keep the tarballs in the indicated directory and only download them if it really needs to. As expected this change is non trivial as it changes one of the fundamental assumptions about how files are downloaded. That said the code is well structured and documented so it is no where near as bad as it could be (Thanks Andreas :) I'm also going to try and get the messages back from the web sessions so that you know when you are being excluded by the download limit (rather than just getting a 403. Russell
Current thread:
- Snort VRT rules Russell Fulton (Jun 14)