Snort VRT rules

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Just an FYI and apologies for the cross posting

As many of you are no doubt already well aware the snort rules snap
shot file is now approaching 100MB and is very slow to down load.

What you may not know is that now that the new snort web site is up
the snapshot file is no longer being rebuilt every day so you can now
rely on the http header stuff to decide whether or not to download the
file.  They also have md5 files which you can check if you are really
don't trust the http headers.

I am now using -N on wget and have drastically reduced the headaches
in downloading the VRT rules.

I have my own script that I use for downloading rule files and this
now works happily with the new set up.

I am happy to share this script if anyone is interested.  It downloads
and optionally unpacks tarballs.  I use it since I have several
sensors with different oinkmaster.confs and with the large files I
unpack them as well - this speeds up the oinkmaster processing
considerably.

I am also hacking oinkmaster by adding a -k <keep-dir> which tells
oinkmaster to keep the tarballs in the indicated directory and only
download them if it really needs to.  As expected this change is non
trivial as it changes one of the fundamental assumptions about how
files are downloaded.  That said the code is well structured and
documented so it is no where near as bad as it could be (Thanks
Andreas :)

I'm also going to try and get the messages back from the web sessions
so that you know when you are being excluded by the download limit
(rather than just getting a 403.

Russell