[Snort-users] re: instant snort sigs for new vulnerabilites

Maarten subscriptions at ...6238...
Wed Jul 3 00:07:08 EDT 2002


Hi Steve,

I am using oinkmaster
(ftp://ftp.it.su.se/pub/users/andreas/oinkmaster/oinkmaster-0.5.tar.gz) to
update my ruleset from cron every hour. It's a perl script that fetches the
latest rules. You can also specify sids that you do not want activated in
your configuration.

One downside: oinkmaster deactivates (at least the version I once
downloaded) sids by placing a "#" at the beginning of a rule. It also
activates all rules with a "#" at the beginning of a line when they are not
specified by oinkmaster. Since the new 1.9 rules are commented out with a
"#", you will have problems with 1.8 because oinkmaster uncomments the
lines.

You could fix it in the perl script or clean the snortrules before giving
them to oinkmaster.

maarten

#is there a tool/method out there that will retrieve the *latest* snort
#signatures automatically? for those of us not running snort via CVS, id
#like a way to do something like cvsup, but _only_ update my ruleset
#every night or whatever.
#
#- --
#- -steve






More information about the Snort-users mailing list