RE: snort automaticly rules update

[Dragos Ruiu <dr () kyx net>]

Another way might be to use snortpp to merge in rules
updates according to snort IDs and revision levels....

mv snort.rules snort.rules.old
wget http://www.snort.org/snort.rules
mv snort.rules snort.rules.new
snortpp snort.rules.old snort.rules.new > snort.rules

cheers,
--dr


On Wed, 25 Jul 2001, Ian () dtm ca wrote:
> Good simple script for Max's vision rules.  Does anyone have a script to
> update Snort 1.8 rules from snort.org??
>
> -----Original Message-----
> From: Dr SuSE [mailto:drsuse () drsuse org]
> Sent: Wednesday, July 25, 2001 12:02 PM
> To: ml () db nexgen com; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] snort automaticly rules update
>
>
> It sure is.  There are a few scripts floating around that will do that.
> Here's one I used to download the latest vision.rules and remove the rules
> that 
> I didnt need or want.  This might not be the best example but it worked for
> me 
> and that's all that really matters.....me :)  If you want to run it every 
> month, just cron it.  One thing to remember, the script does not know if the
>
> entire rules file was downloaded.  If it was only able to do a partial
> download 
> due to network or server issues, it would not know and it would end up
> loading 
> an incomplete rules file.
>
> What's that?  You say your gonna order a unix shell scripting book from 
> bookpool and write us a kick as script which will update our snort rules and
>
> check the integrity of the rule files.  Dude, you rock!  Let us know when
> it's 
> ready.
>
> #!/bin/sh
> cd /tmp
> wget -q http://www.whitehats.com/ids/vision.rules.gz
> gunzip /tmp/vision.rules.gz
> /etc/rc.d/snort stop
> rm /etc/snort/rules/vision.rules
> sed -e '/IDS175/d' -e '/IDS221/d' -e '/IDS226/d' -e '/IDS227/d' -e
> '/IDS243/d' -
> e '/IDS259/d' -e '/IDS298/d' /tmp/vision.rules >
> /etc/snort/rules/vision.rules
> rm /tmp/vision.rules
> /etc/rc.d/snort start
> echo Vision Rules Updated!
>
>
>
> > is it possible to somehow make my box to download every other month or so
> > new rules from snort website and update them?
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> Score my PGP key @
> http://www.drsuse.org/pks
>
> ---------------------------------------------
> Microsoft ist nicht installiert.
> http://www.drsuse.org/
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users