[Snort-sigs] Searching for the latest Snort rules

JP Vossen vossenjp at ...1431...
Tue Dec 2 21:15:00 EST 2003

> Date: Wed, 26 Nov 2003 11:48:24 +0100
> From: "Marc Ruef" <maru at ...2036...>
> To: <snort-sigs at lists.sourceforge.net>
> Subject: [Snort-sigs] Searching for the latest Snort rules


> Everyday I fill in the latest news on the topic. One field in the
> database is the Snort rule number. If I want to fill in the Nessus
> plugin number it is very easy for me: I call the Nessus project web
> site, select plugins and let display the latest plugins. If there is a
> plugin around that compares with the description in my database, I add
> the Nessus plugin number.
> But with snort it seems not so easy. I can't display the newest rule
> entries (or I haven't found yet). Is there a way for me to view the
> latest Snort rules so I can fill in the wanted data without additional
> personal effort (e.g. searching always the rule description or by port)?

I don't think I saw any answers to this one, so...

There are a number of ways to do this.

1. http://www.snort.org/cgi-bin/sigs-search.cgi

2. http://cvs.sourceforge.net/viewcvs.py/snort/snort/rules/

3. Download the rules tarballs [0] and extract them somplace every night using
wget and cron (or Windows scheduler and wget & tar from UNXUtils [1]). Grep
the rules files locally for your search terms.  Not sure is this is something
you said you didn't want to do above.

4. Use Oinkmaster [2] which can tell you each day what rules have been added,
changed or removed.

5.  Subscribe to Snort-Sigs [3] which will teach you stuff about Sigs and
provide e-mails from Oinkmaster...

Hope this helps,

[0] http://www.snort.org/dl/rules/snortrules-stable.tar.gz

[1] http://unxutils.sourceforge.net/

[2] http://oinkmaster.sourceforge.net/

[3] https://lists.sourceforge.net/mailman/listinfo/snort-sigs
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?

More information about the Snort-sigs mailing list