Re: Snort VRT rules

[Zakai Kinan <titanyen2000 () yahoo com>]

Can you send the script to the list?


Thanks,

ZK

--- On Sun, 6/14/09, Russell Fulton <r.fulton () auckland ac nz> wrote:

> From: Russell Fulton <r.fulton () auckland ac nz>
> Subject: [Snort-users] Snort VRT rules
> To: "The EDUCAUSE Security Constituent Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU>
> Cc: snort-users () lists sourceforge net, oinkmaster-users () lists sourceforge net
> Date: Sunday, June 14, 2009, 4:17 PM
> Just an FYI and apologies for the
> cross posting
>
> As many of you are no doubt already well aware the snort
> rules snap  
> shot file is now approaching 100MB and is very slow to down
> load.
>
> What you may not know is that now that the new snort web
> site is up  
> the snapshot file is no longer being rebuilt every day so
> you can now  
> rely on the http header stuff to decide whether or not to
> download the  
> file.  They also have md5 files which you can check if
> you are really  
> don't trust the http headers.
>
> I am now using -N on wget and have drastically reduced the
> headaches  
> in downloading the VRT rules.
>
> I have my own script that I use for downloading rule files
> and this  
> now works happily with the new set up.
>
> I am happy to share this script if anyone is
> interested.  It downloads  
> and optionally unpacks tarballs.  I use it since I
> have several  
> sensors with different oinkmaster.confs and with the large
> files I  
> unpack them as well - this speeds up the oinkmaster
> processing  
> considerably.
>
> I am also hacking oinkmaster by adding a -k
> <keep-dir> which tells  
> oinkmaster to keep the tarballs in the indicated directory
> and only  
> download them if it really needs to.  As expected this
> change is non  
> trivial as it changes one of the fundamental assumptions
> about how  
> files are downloaded.  That said the code is well
> structured and  
> documented so it is no where near as bad as it could be
> (Thanks  
> Andreas :)
>
> I'm also going to try and get the messages back from the
> web sessions  
> so that you know when you are being excluded by the
> download limit  
> (rather than just getting a 403.
>
> Russell
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables
> unlimited
> royalty-free distribution of the report engine for
> externally facing 
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


      

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users