[Snort-users] instant snort sigs for new vulnerabilites

Stefan Dens stefan.dens at ...1187...
Wed Jul 3 06:20:09 EDT 2002


Hi,

Well, you can do that with snortcenter, you can adjust rules to your own
network setting and update them from the internet without changing your own
configuration.
The only problem is that snortcenter needs build-in user authentication, if
you want to run it from a cron job with lynx or wget. I will make an option
to disable it for auto-update.
http://users.pandora.be/larc

(Just a remark: if to many people are gone use some sort of auto-update
utility, to fetch the snortrules from the snort website, I'll guess there
bandwidth will be gone. And I know that there is a checksum for the
snortrules file, but it seems to change every hour without there is a change
to the rules.)

Stefan Dens

----- Original Message -----
From: "Steve McGhee" <stevem at ...6226...>
To: <snort-users at lists.sourceforge.net>
Cc: <freebsd-security at ...478...>; <freebsd-ports at ...478...>
Sent: Monday, July 01, 2002 10:57 PM
Subject: [Snort-users] instant snort sigs for new vulnerabilites


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> with all the fuss lately over the new apache worm, etc, id like to know
> if my machine is getting hit (its patched, just being curious). i know
> about mod_blowchunks, but im looking for something more general..
>
> it seems to me that snort could see these attacks pretty easily.
>
> is there a tool/method out there that will retrieve the *latest* snort
> signatures automatically? for those of us not running snort via CVS, id
> like a way to do something like cvsup, but _only_ update my ruleset
> every night or whatever.
>
> i cc: the freebsd team as this might be a cool (simple) port. (something
> like /usr/ports/security/snort-signatures)
>
> this could be helpful to people who are just curious, or maybe could
> provide some good numbers to shock lazy sysadmins into actually patching
> their machines.
>
>
> ..of course, this is all assuming there's someone out there writing
> signatures  ;)
>
> - --
> - -steve
>
> ~  ..........................................................
> ~        Steve McGhee
> ~        Systems Administrator
> ~        Linguistic Minority Research Institute
> ~        UC Santa Barbara
> ~        phone: (805)893-2683
> ~        email: stevem at ...6226...
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Using PGP with Mozilla - http://enigmail.mozdev.org
>
> iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns
> BcxrxnUpvAJK3Sczy5nY4Ir5
> =9LCO
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> No, I will not fix your computer.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list