Snort mailing list archives
Re: Snort VRT rules
From: Zakai Kinan <titanyen2000 () yahoo com>
Date: Sun, 14 Jun 2009 17:39:55 -0700 (PDT)
Can you send the script to the list? Thanks, ZK --- On Sun, 6/14/09, Russell Fulton <r.fulton () auckland ac nz> wrote:
From: Russell Fulton <r.fulton () auckland ac nz> Subject: [Snort-users] Snort VRT rules To: "The EDUCAUSE Security Constituent Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU> Cc: snort-users () lists sourceforge net, oinkmaster-users () lists sourceforge net Date: Sunday, June 14, 2009, 4:17 PM Just an FYI and apologies for the cross posting As many of you are no doubt already well aware the snort rules snap shot file is now approaching 100MB and is very slow to down load. What you may not know is that now that the new snort web site is up the snapshot file is no longer being rebuilt every day so you can now rely on the http header stuff to decide whether or not to download the file. They also have md5 files which you can check if you are really don't trust the http headers. I am now using -N on wget and have drastically reduced the headaches in downloading the VRT rules. I have my own script that I use for downloading rule files and this now works happily with the new set up. I am happy to share this script if anyone is interested. It downloads and optionally unpacks tarballs. I use it since I have several sensors with different oinkmaster.confs and with the large files I unpack them as well - this speeds up the oinkmaster processing considerably. I am also hacking oinkmaster by adding a -k <keep-dir> which tells oinkmaster to keep the tarballs in the indicated directory and only download them if it really needs to. As expected this change is non trivial as it changes one of the fundamental assumptions about how files are downloaded. That said the code is well structured and documented so it is no where near as bad as it could be (Thanks Andreas :) I'm also going to try and get the messages back from the web sessions so that you know when you are being excluded by the download limit (rather than just getting a 403. Russell ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort VRT rules Russell Fulton (Jun 14)
- Re: Snort VRT rules Nigel Houghton (Jun 14)
- Re: [Oinkmaster-users] Snort VRT rules Andreas Östling (Jun 15)
- <Possible follow-ups>
- Re: Snort VRT rules Zakai Kinan (Jun 14)
- Re: Snort VRT rules JJ Cummings (Jun 14)