[Snort-users] Auto rules update

Erich Meier Erich.Meier at ...99...
Tue Jan 23 12:14:36 EST 2001


On Tue, Jan 23, 2001 at 04:56:52AM +0000, Dr SuSE wrote:
> I wrote a simple script to update my vision.rule and I'd like to get some 
> opinions/ideas from other Snort users.
> 
> I'm using vision.rules and I just needed a simple way of obtaining the latest 
> ruleset and removing rules that I do not need.  I know there are some update 
> utilities already available but I need the scripting practice and I needed 
> something to do while at work.

I do something similar here. The most important thing is that you check the
vision.conf file after downloading and only enable it manually. Remember, you
can't trust the downloaded content!

Attached is a Makefile, the updatev script and an example file that contains
a negative list of rules that cause too many false positives here.

YMMV,
Erich
-------------- next part --------------
all:	vision.conf

vision.conf:	vision.conf.current
	@./updatev

vision.conf.current:
	@cp ../vision.conf vision.conf.current

copy:
	cp vision.conf.current ../vision.conf
	/local/snort/etc/rc restart

clean:
	@rm -f vision.conf vision.conf.new vision.conf.current
-------------- next part --------------
#!/bin/sh

rm -f vision.conf

/local/bin/wget -q http://dev.whitehats.com/ids/vision.conf

egrep -v '^(var (EXTERNAL|INTERNAL)|preprocessor (portscan|minfrag|http_decode)|######### Export date:)' vision.conf | egrep -vf vision.conf.exclude > vision.conf.new

if [ -s vision.conf.new ]; then
  mv vision.conf.new vision.conf
  diff vision.conf.current vision.conf
  mv vision.conf vision.conf.current
else
  rm -f vision.conf vision.conf.new
fi
-------------- next part --------------
IDS227/http-cgi-scriptalias
IDS230/http-cgi-space-wildcard
IDS243/http-cgi-pipe
IDS247/dos-large-udp
IDS298/http-directory-traversal2
IDS426/tfn2k-udp_possible_communication


More information about the Snort-users mailing list