Snort mailing list archives

Re: rules update on 2.8

From: hermit () outofoptions com
Date: Wed, 21 Dec 2011 11:28:20 -0500

Nick,

The current install is on a production machine that I can't take much  
risk with, that is why I was wondering if the last rule set for the  
2.8 series was compatible with my rpm version.  Since the script that  
pulls doesn't alert on failure I probably have a very old rule set  
from the looks of it.

I'm looking at "Insta-Snorby" at the moment and thinking about  
spinning that up on a VM as at least an interim measure.  The current  
home grown solution analyses the logs nightly and sends an email of  
possible events to look at every morning.  Seems a tad untimely.

Thanks for the input.
Hermit

Quoting Nick Moore <nmoore () sourcefire com>:

Hermit,

1. Your Snort version is out of date - we are currently on version 2.9.2.
Snort 2.8.6.1 is still on the web site for registered rule users, but will
be aged out in the next couple months.

2. I'd recommend using pulled pork over oinkmaster. There are several
guides available on setting it up online.

3. Yum and other package update mechanisms are not the best way to keep
Snort up to date. I have found that these frequently lag far enough behind
the current version that in some cases, they are using a no longer
supported version in their updates. I would instead recommend looking at it
manually whenever there is a new Snort release and recompiling.

Hope this helps and Happy Snorting!

Nick

On Wed, Dec 21, 2011 at 8:35 AM, <hermit () outofoptions com> wrote:

Long time lurker,

I started a new position as systems administrator for a small
company and just caught up on 6 months of email sitting around in this
folder. The company I currently work for uses snort so I decided to
catch up on the email and check the installation. The old sysadmin
has a cron set up to pull rules nightly with:

http://www.snort.org/pub-bin/oinkmaster.cgi/somegibberishhere/snortrules-snapshot-2.8.tar.gz

This fails.

[root@tan ~]# rpm -q snort
snort-2.8.5-1

Seems to be the latest available.

[root@tan ~]# yum update snort
Loaded plugins: downloadonly, security
Excluding Packages in global exclude list
Finished
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update
[root@tan ~]#

[root@tan ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.6 (Tikanga)
[root@tan ~]#

Is it safe to change "snapshot-2.8" to "snortrules-snapshot-2861.tar.gz"?

Thanks
Hermit

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




--
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org     www.immunet.com





------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

rules update on 2.8 hermit (Dec 21)
- Re: rules update on 2.8 Nick Moore (Dec 21)
  - Re: rules update on 2.8 hermit (Dec 21)
    - Re: rules update on 2.8 Joel Esler (Dec 21)
    - Re: rules update on 2.8 Nick Moore (Dec 21)
  - Re: rules update on 2.8 Jason Haar (Dec 22)