[Snort-users] updating rules through webinterface

Roeland Weve roeland at ...1415...
Fri Mar 30 09:59:47 EST 2001


Yes, thank you.
I can use that very good!

And you now for sure that these rules are reguraly updated?

Roeland

JB Lallement wrote:
> 
> At 30/03/2001 13:21, Roeland Weve wrote:
> 
> >Another point why I'm making this, is to check if there are new rules.
> >I have to get the latest version of the rules from the internet and
> >compare them with the rules on the ids. So, does anybody knows how I
> >can get the latest rules from the internet?
> > >From snort it isn't possible, because the directorie contains a date:
> >http://www.snort.org/Files/03152001/snortrules.tar.gz
> >                            ^^^^^^^^
> >The date will change, if the latest rules are saved like
> >'http://www.snort.org/Files/snortrules.tar.gz' it would be better, so I
> >can always get the latest rules with wget or something.
> >I was thinking of CVS, but I do not know how to get all the rules as
> >simple as possible. I don't want to do it by name (sql.rules) but by
> >syntax (*.rules). So, if there will be a new ruleset (blalba.rules) it
> >also takes that file and I can include it.
> 
> You may obtain the full ruleset by sending a GET to ( using cURL, wget,
> lynx, ... ):
> http://www.snort.org/Database/cleanrules_results.asp
> 
> To get a particular ruleset ( ex DDOS )
> http://www.snort.org/Database/cleanrules_results.asp?type=DDOS
> 
> This will extract the ruleset directly from the online DB.
> 
> Hope this helps
> 
> >Then the compare part will be done by diff or something.
> >Maybe I will make this part in perl, so I can crontab it daily and mail
> >the difference between the rulesets. (I saw already some progz doing
> >something like this).
> >
> >If it's ready I will put it on the mailing list.
> >Some disadvantages are that you have to change the directory where the
> >rule files are saved (now I have to snort.conf in /etc/snort and the
> >rules in /var/www/html/rules/, that's because I can savely change the
> >write and read rights there...).
> >
> >Well, if anybody has any idea's or knows existing programs that I can
> >use, etc. I will be really appreciated!
> >
> >Roeland
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >http://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> |---                                  ---|
>   Jean-Baptiste LALLEMENT
>   ZENI CORPORATION          http://zeni.fr
>   Tél : 0.803.003.111 Fax : 03.44.57.35.55
> |---                                  ---|




More information about the Snort-users mailing list