[Snort-users] Auto rules update

Phil Wood cpw at ...440...
Tue Jan 23 17:44:52 EST 2001


In Max we trust.

and

I had a whole bunch of "rule patterns" (like yours) in a file
called exclude-rules, thus this perl script:

    open EXCLUDE, "<exclude-rules" || die "exclude-rules not found. $!\n";
    while (<EXCLUDE>) {
      chomp;
      $excludes[$i++] = $_;
    }
    
    while (<>) {
      $exclude = 0;
      foreach $exclusion (@excludes) {
        if (/\Q$exclusion\E/) {
            $exclude ++;
            last;
         }
      }
      if ($exclude) {print "# $_";}
      else { print "$_"; }
    }
    
Then I could put this script in line with other little filters,
like one to change EXTERNAL_NET to EXTERNAL, and HOME_NET to
INTERNAL, etc.  But, I just don't feel like making the clean shot
from where-ever to a running snort.  I think there needs to
be a sanity check.  Just running snort with the new rule set on
a tcpdump file (-r) could be used to verify.

That's two or more opinons.  %^)

On Tue, Jan 23, 2001 at 04:56:52AM +0000, Dr SuSE wrote:
> I wrote a simple script to update my vision.rule and I'd like to get some 
> opinions/ideas from other Snort users.
> 
> I'm using vision.rules and I just needed a simple way of obtaining the latest 
> ruleset and removing rules that I do not need.  I know there are some update 
> utilities already available but I need the scripting practice and I needed 
> something to do while at work.
> 
> cd /tmp
> wget -q http://www.whitehats.com/ids/vision.rules
> /etc/rc.d/snort stop
> rm /etc/snort/vision.rules
> sed -e '/IDS226/d' -e '/IDS259/d' /tmp/vision.rules > /etc/snort/vision.rules
> rm /tmp/vision.rules
> /etc/rc.d/snort start
> echo Vision Rules Updated!
> 
> 
> 
> 
> ---------------------------------------------
> Microsoft ist nicht installiert.
> http://www.drsuse.org/
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list