Snort mailing list archives
Rule-Update
From: "Marc Quibell" <mquibell () fbfs com>
Date: Tue, 19 Aug 2003 08:38:19 -0500
Yes, there is a way to auto-update your rules automatically. Where would I be without auto-updating? Here's the script I use: p.s (There is also a way to post to the list text-only messages..hehe) /etc/snort/rules/update-rules #!/usr/bin/perl -w use Getopt::Std; use File::Copy; use POSIX qw(strftime); use Fcntl; my $wget_bin = "/usr/bin/wget"; my $read_timeout = "2900"; my $tmpfile = "/tmp/temp.$$.tar.gz"; my $tmpfile2 = "/tmp/temp.$$.tar"; my $url = " <http://www.snort.org/downloads/rules/snortrules-current.tar.gz> http://www.snort.org/downloads/rules/snortrules-current.tar.gz"; my $compress_gzip = "/bin/gzip"; my $compress_tar = "/bin/tar"; $SNORT_PID_FILE = "/var/run/snort_eth1.pid"; my $RULES_DIR = "/tmp/rules"; my $RULES_PUT_DIR = "/etc/snort/rules"; print "Grabbing ruleset from $url...\n"; die("File transfer failed: the wget command exited with an error (return status was not 0).\nExiting") if (system("$wget_bin","-nv","-T","$read_timeout","-t","3","-O","$tmpfile" ,"http://www.snort.org/downloads/rules/snortrules-current.tar.gz")); #die("File transfer failed: the wget command exited with an error (return status was not 0).\nExiting") if (system("$wget_bin","-nv","-v","-T","$read_timeout","-t","3","-O","$tmpfile" ,"$url")); die("Gzip integrity check failed (file transfer failed or file in URL not in gzip format?).\nExiting") if (system("$compress_gzip","-t","$tmpfile")); # (will also die if there is trailing garbage) system("cp","$tmpfile","/home/mquibell/snortrules-current.tar.gz"); print "Decompressing $tmpfile...\n"; print "Decompressing $tmpfile...\n"; system("$compress_gzip","-d","$tmpfile"); print "Untaring $tmpfile2...\n"; system("/bin/tar","-C/tmp/","-xf","$tmpfile2"); opendir(RULES_DIR, "$RULES_DIR") or die "Can't open directory $RULES_DIR for reading: $!\n"; my @all_files = grep { /rules$/ } readdir RULES_DIR; closedir(RULES_DIR); for (@all_files) { move("$RULES_DIR/$_","$RULES_PUT_DIR/$_") or die "error $!\n"; } # open SNORT_PID_FILE or die "Can't open $1"; # while (<SNORT_PID_FILE>) # { # snort_pid = $_; # } # close(SNORT_PID_FILE); # kill 1, $snort_pid[0]; #system(kill -HUP `cat /var/run/snort_eth1.pid`); #system("rm $tmpfile2"); system("rm /tmp/temp*.*"); exit(0); ------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=104 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule-Update Brandon Hanks (Aug 18)
- <Possible follow-ups>
- RE: Rule-Update Schmehl, Paul L (Aug 18)
- Rule-Update Marc Quibell (Aug 19)