[Snort-users] rules update on 2.8

hermit at ...15048... hermit at ...15048...
Wed Dec 21 11:28:20 EST 2011


Nick,

The current install is on a production machine that I can't take much  
risk with, that is why I was wondering if the last rule set for the  
2.8 series was compatible with my rpm version.  Since the script that  
pulls doesn't alert on failure I probably have a very old rule set  
from the looks of it.

I'm looking at "Insta-Snorby" at the moment and thinking about  
spinning that up on a VM as at least an interim measure.  The current  
home grown solution analyses the logs nightly and sends an email of  
possible events to look at every morning.  Seems a tad untimely.

Thanks for the input.
Hermit

Quoting Nick Moore <nmoore at ...1935...>:

> Hermit,
>
> 1. Your Snort version is out of date - we are currently on version 2.9.2.
> Snort 2.8.6.1 is still on the web site for registered rule users, but will
> be aged out in the next couple months.
>
> 2. I'd recommend using pulled pork over oinkmaster. There are several
> guides available on setting it up online.
>
> 3. Yum and other package update mechanisms are not the best way to keep
> Snort up to date. I have found that these frequently lag far enough behind
> the current version that in some cases, they are using a no longer
> supported version in their updates. I would instead recommend looking at it
> manually whenever there is a new Snort release and recompiling.
>
> Hope this helps and Happy Snorting!
>
> Nick
>
> On Wed, Dec 21, 2011 at 8:35 AM, <hermit at ...15048...> wrote:
>
>> Long time lurker,
>>
>>    I started a new position as systems administrator for a small
>> company and just caught up on 6 months of email sitting around in this
>> folder.  The company I currently work for uses snort so I decided to
>> catch up on the email and check the installation.  The old sysadmin
>> has a cron set up to pull rules nightly with:
>>
>>
>> http://www.snort.org/pub-bin/oinkmaster.cgi/somegibberishhere/snortrules-snapshot-2.8.tar.gz
>>
>> This fails.
>>
>>
>> [root at ...15475... ~]# rpm -q snort
>> snort-2.8.5-1
>>
>> Seems to be the latest available.
>>
>> [root at ...15475... ~]# yum update snort
>> Loaded plugins: downloadonly, security
>> Excluding Packages in global exclude list
>> Finished
>> Skipping security plugin, no data
>> Setting up Update Process
>> No Packages marked for Update
>> [root at ...15475... ~]#
>>
>>
>> [root at ...15475... ~]# cat /etc/redhat-release
>> Red Hat Enterprise Linux Server release 5.6 (Tikanga)
>> [root at ...15475... ~]#
>>
>> Is it safe to change "snapshot-2.8" to "snortrules-snapshot-2861.tar.gz"?
>>
>> Thanks
>> Hermit
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Write once. Port to many.
>> Get the SDK and tools to simplify cross-platform app development. Create
>> new or port existing apps to sell to consumers worldwide. Explore the
>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>> http://p.sf.net/sfu/intel-appdev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore at ...1935...
> IM    nickgmoore (Yahoo)
>        nickgmoore38 (AIM)
>
>     ,,_
>    o"  )~   Sourcefire - The Creators of Snort
>     ''''
>
> www.sourcefire.com         www.snort.org     www.immunet.com
>







More information about the Snort-users mailing list