[Snort-sigs] Updating snort signatures

Erek Adams erek at ...101...
Tue Aug 27 16:59:03 EDT 2002

On Tue, 27 Aug 2002, Azad Mahmoud wrote:

> This is my first mail to this mailing list. I need some help about the
> way to update the signatures on some live snort machines. So far the way
> I do is just to copy the whole new set of signatures and restrat the
> snort (all the paltforms used are Linux). But I was woundering if there
> is a simple script that could be used to do this operation.

Well...  the simplest way would be:

	scp -pr /etc/snort/rules/* <sensor>:/etc/snort/rules

If that doesn't work for you, check out Oinkmaster.  It was written with this
in mind.

> This is the main issue, also if there are some hints about the way of
> updating or upgrading the whole snort version will be very much
> appreciated, there are few files (e.g. snort.conf, local and
> classification) normally I exclude these files mening that I use the old
> cpies without any changes is it the right way to do this??.

You do want to change your .conf files from version to version.  To be honest,
you want to change out _all_ files from the older versions.  Suggestion:

	Have a dir just for snort upgrades.  Drop in the new version, build
it, then diff the .conf (from the tarball) vs. your current one.  In fact,
it's just a good idea to do that will 'all the files'.  :)  Many times a new
feature will be added, that needs configuration in the .conf, or may need a
new *.map file.


Erek Adams

More information about the Snort-sigs mailing list