[Snort-users] current rule file on www.snort.org,
R.FULTON at ...3809...
Sun Feb 10 13:44:04 EST 2002
I am writing a (perl) script to download a new copy of the current
rules from www.snort.org and then process them with a batch editor so
that one can make persistent changes to rules which don't get lost every
time you get a new rule set. I had thought I would set it up so that
the rule file was down loaded if and only if it had changed.
I discovered that the file really is rebuilt every half hour so the
timestamp changes every half hour and thus my script always downloads
the rule set.
Would it be straight forward to modify the script that generates the tar
ball from the cvs to only update the tarball if there are changes?
Some other thoughts:
How often are rules updated in reality? If it is on a more or less
daily basis then there probably isnt any point in checking the dates and
I should download and unpack the rules unconditionally.
Another alternative I am looking at is having the script get the changes
direct from the CVS -- I'm currently 'checking out' the perl cvs
modules. It has occurred to me that I might be able to do the whole job
using cvs's ability to merge changes (using cvs update). I have never
used cvs before so if any of you have ideas on the subject I would be
happy to hear them.
I've got two machines running snort, I intend to automatically update
the rules on one and the, when they are 'tested' update the second.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the Snort-users