snort signatures on www.snort.org

[Russell Fulton <r.fulton () auckland ac nz>]

Hi,
    I am looking for a way to determine if the snort rule file:
http://www.snort.org/dl/signatures/snortrules.tar.gz
has actually changed so I don't download a new rule set unless I need
to.

So far as I can tell this file is rebuilt once a day regardless of
whether or not any changes have been made.  When I first realized this I
grabbed the MD5 sum and compared that to one for my current rules but
clearly some timestamps on the files change and the md5 hash for the
tarball changes even though the file contents apparently have not.

Any suggestions?

Alternatively could the script that makes the snapshot check to see if
there are any changes before building the tarball and rebuild it only if
necessary.

Or should I use CVS to mirror the source tree every night and adjust my
script to process rule files from the local copy if there have been any
changes.

BTW I have a perl script that implements a batch editor for modifying
rule files before passing them to the live snort. It can delete specific
rules and change, delete or add rules for other rules.  At the moment I
am just using it to delete noisy rules but there are several rules that
I want to tweak for local conditions.  If anyone is interested then drop
me a line.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users