[Snort-users] snort signatures on www.snort.org

Russell Fulton r.fulton at ...3809...
Tue May 28 19:59:03 EDT 2002


Hi,
    I am looking for a way to determine if the snort rule file:
http://www.snort.org/dl/signatures/snortrules.tar.gz
has actually changed so I don't download a new rule set unless I need
to.

So far as I can tell this file is rebuilt once a day regardless of
whether or not any changes have been made.  When I first realized this I
grabbed the MD5 sum and compared that to one for my current rules but
clearly some timestamps on the files change and the md5 hash for the
tarball changes even though the file contents apparently have not.

Any suggestions?

Alternatively could the script that makes the snapshot check to see if
there are any changes before building the tarball and rebuild it only if
necessary.

Or should I use CVS to mirror the source tree every night and adjust my
script to process rule files from the local copy if there have been any
changes.

BTW I have a perl script that implements a batch editor for modifying
rule files before passing them to the live snort. It can delete specific
rules and change, delete or add rules for other rules.  At the moment I
am just using it to delete noisy rules but there are several rules that
I want to tweak for local conditions.  If anyone is interested then drop
me a line.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-users mailing list