[Snort-users] updating rules through webinterface

Fyodor fygrave at ...121...
Fri Mar 30 06:53:56 EST 2001


On Fri, Mar 30, 2001 at 01:21:31PM +0200, Roeland Weve wrote:
> Howdy,
> 
> Maybe it already exists, but I am working on a php (web)interface to
> switch rules on or off, to delete, or to add them. 
> If it's ready, it makes it possible to manage the rules from within the
> network.

Dragos Ruiu (dr at ...381..., dr at ...50...) was working on some kind of similar
project. I guess if you would contact him, he could show you what he has done
so far. 

> That's more easier for everybody, because you don't have to ssh or local
> log into to the ids machine anymore and to find and edit the rule files.
> 

indeed. But hope you are not forgetting about proper authentication, right? :)

> Another point why I'm making this, is to check if there are new rules.
> I have to get the latest version of the rules from the internet and
> compare them with the rules on the ids. So, does anybody knows how I
> can get the latest rules from the internet?
> >From snort it isn't possible, because the directorie contains a date:
> http://www.snort.org/Files/03152001/snortrules.tar.gz
>                            ^^^^^^^^
> The date will change, if the latest rules are saved like
> 'http://www.snort.org/Files/snortrules.tar.gz' it would be better, so I
> can always get the latest rules with wget or something.

I donno, I guess you should probably ask Jim about it :)

> I was thinking of CVS, but I do not know how to get all the rules as
> simple as possible. I don't want to do it by name (sql.rules) but by
> syntax (*.rules). So, if there will be a new ruleset (blalba.rules) it
> also takes that file and I can include it.

CVS actually is not as complete as rules base at www.snort.org or www.whitehats.com. Mostly
the rulebase is kept there for demo purpose only (Althrough Marty maintains them being more
or less up to date as far as I see :)).


-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list