[Snort-users] Re: instant snort sigs for new vulnerabilites

Steve Francis sfrancis at ...6228...
Tue Jul 2 14:58:39 EDT 2002

I have this called from cron:
#Update rules
cd /tmp
rm -rf rules
/usr/local/bin/wget http://www.snort.org/downloads/snortrules.tar.gz
tar -xzf snortrules.tar.gz
rm snortrules.tar*
mv /tmp/rules/*.rules /usr/local/share/snort

# Restart snort (doing it with stop/start restarts the snort-NNNN at ...6229...
# file).
        /usr/local/etc/rc.d/snort.sh stop >/dev/null
        if [ -d $ARCHIVE ]; then
                cd $SNORTLOG
                mv *-snort.log $ARCHIVE
        /usr/local/etc/rc.d/snort.sh start >/dev/null

twig les wrote:

>That's a good idea for a quick script that I should
>have had done months ago.  As soon as I put out the
>lastest mystery fire I'll see if I can get a
>reasonable little Lynx-based cronjob.
>--- Steve McGhee <stevem at ...6226...> wrote:
>>Hash: SHA1
>>with all the fuss lately over the new apache worm,
>>etc, id like to know
>>if my machine is getting hit (its patched, just
>>being curious). i know
>>about mod_blowchunks, but im looking for something
>>more general..
>>it seems to me that snort could see these attacks
>>pretty easily.
>>is there a tool/method out there that will retrieve
>>the *latest* snort
>>signatures automatically? for those of us not
>>running snort via CVS, id
>>like a way to do something like cvsup, but _only_
>>update my ruleset
>>every night or whatever.
>>i cc: the freebsd team as this might be a cool
>>(simple) port. (something
>>like /usr/ports/security/snort-signatures)
>>this could be helpful to people who are just
>>curious, or maybe could
>>provide some good numbers to shock lazy sysadmins
>>into actually patching
>>their machines.
>>..of course, this is all assuming there's someone
>>out there writing
>>signatures  ;)
>>- --
>>- -steve
>>~        Steve McGhee
>>~        Systems Administrator
>>~        Linguistic Minority Research Institute
>>~        UC Santa Barbara
>>~        phone: (805)893-2683
>>~        email: stevem at ...6226...
>>Version: PGP 6.5.8
>>Comment: Using PGP with Mozilla -
>>To Unsubscribe: send mail to majordomo at ...484...
>>with "unsubscribe freebsd-security" in the body of
>>the message
>Only fools have all the answers.
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>To Unsubscribe: send mail to majordomo at ...484...
>with "unsubscribe freebsd-security" in the body of the message

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020702/23098f68/attachment.html>

More information about the Snort-users mailing list