[Snort-users] rules update on 2.8

Nick Moore nmoore at ...1935...
Wed Dec 21 13:53:32 EST 2011


Hermit,

Insta-Snorby is a possible approach, but using the setup guides on
Snort.org, you should be able to create a system from scratch in just a
couple hours. I've done it in as little as 2 hours of wall time, including
booting from the linux iso. Several of the guides are step by step,
including mine for CentOS and David Gullet's for Ubuntu.

Shameless commercial to follow:

In the long run, if these seem like too much administrative overhead,
Sourcefire has a number of very economical solutions which take a great
deal of the Snort administration away and give you support.

Happy Snorting!

Nick

On Wed, Dec 21, 2011 at 10:47 AM, Joel Esler <jesler at ...1935...> wrote:

> The last ruleset we made for the 2.8.x branch was in November, and as Nick
> said, it was for 2.8.6.1.  We haven't made rules for 2.8.5 in a long time.
> (years)  We've patched bugs and other problems in newer versions of Snort
> that 2.8.x were vulnerable to and we suggest that you update to the current
> version of Snort (2.9.2)
>
> J
>
> On Dec 21, 2011, at 11:28 AM, hermit at ...15048... wrote:
>
> > Nick,
> >
> > The current install is on a production machine that I can't take much
> > risk with, that is why I was wondering if the last rule set for the
> > 2.8 series was compatible with my rpm version.  Since the script that
> > pulls doesn't alert on failure I probably have a very old rule set
> > from the looks of it.
> >
> > I'm looking at "Insta-Snorby" at the moment and thinking about
> > spinning that up on a VM as at least an interim measure.  The current
> > home grown solution analyses the logs nightly and sends an email of
> > possible events to look at every morning.  Seems a tad untimely.
> >
> > Thanks for the input.
> > Hermit
> >
> > Quoting Nick Moore <nmoore at ...1935...>:
> >
> >> Hermit,
> >>
> >> 1. Your Snort version is out of date - we are currently on version
> 2.9.2.
> >> Snort 2.8.6.1 is still on the web site for registered rule users, but
> will
> >> be aged out in the next couple months.
> >>
> >> 2. I'd recommend using pulled pork over oinkmaster. There are several
> >> guides available on setting it up online.
> >>
> >> 3. Yum and other package update mechanisms are not the best way to keep
> >> Snort up to date. I have found that these frequently lag far enough
> behind
> >> the current version that in some cases, they are using a no longer
> >> supported version in their updates. I would instead recommend looking
> at it
> >> manually whenever there is a new Snort release and recompiling.
> >>
> >> Hope this helps and Happy Snorting!
> >>
> >> Nick
> >>
> >> On Wed, Dec 21, 2011 at 8:35 AM, <hermit at ...15048...> wrote:
> >>
> >>> Long time lurker,
> >>>
> >>>   I started a new position as systems administrator for a small
> >>> company and just caught up on 6 months of email sitting around in this
> >>> folder.  The company I currently work for uses snort so I decided to
> >>> catch up on the email and check the installation.  The old sysadmin
> >>> has a cron set up to pull rules nightly with:
> >>>
> >>>
> >>>
> http://www.snort.org/pub-bin/oinkmaster.cgi/somegibberishhere/snortrules-snapshot-2.8.tar.gz
> >>>
> >>> This fails.
> >>>
> >>>
> >>> [root at ...15475... ~]# rpm -q snort
> >>> snort-2.8.5-1
> >>>
> >>> Seems to be the latest available.
> >>>
> >>> [root at ...15475... ~]# yum update snort
> >>> Loaded plugins: downloadonly, security
> >>> Excluding Packages in global exclude list
> >>> Finished
> >>> Skipping security plugin, no data
> >>> Setting up Update Process
> >>> No Packages marked for Update
> >>> [root at ...15475... ~]#
> >>>
> >>>
> >>> [root at ...15475... ~]# cat /etc/redhat-release
> >>> Red Hat Enterprise Linux Server release 5.6 (Tikanga)
> >>> [root at ...15475... ~]#
> >>>
> >>> Is it safe to change "snapshot-2.8" to
> "snortrules-snapshot-2861.tar.gz"?
> >>>
> >>> Thanks
> >>> Hermit
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Write once. Port to many.
> >>> Get the SDK and tools to simplify cross-platform app development.
> Create
> >>> new or port existing apps to sell to consumers worldwide. Explore the
> >>> Intel AppUpSM program developer opportunity.
> appdeveloper.intel.com/join
> >>> http://p.sf.net/sfu/intel-appdev
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>
> >>> Please visit http://blog.snort.org to stay current on all the latest
> >>> Snort news!
> >>>
> >>
> >>
> >>
> >> --
> >> Nick Moore, SFCE, CISSP, CISA
> >> Sr. Systems Engineer
> >> Voice 708-336-9041
> >> Email nick.moore at ...1935...
> >> IM    nickgmoore (Yahoo)
> >>       nickgmoore38 (AIM)
> >>
> >>    ,,_
> >>   o"  )~   Sourcefire - The Creators of Snort
> >>    ''''
> >>
> >> www.sourcefire.com         www.snort.org     www.immunet.com
> >>
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Write once. Port to many.
> > Get the SDK and tools to simplify cross-platform app development. Create
> > new or port existing apps to sell to consumers worldwide. Explore the
> > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> > http://p.sf.net/sfu/intel-appdev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create
> new or port existing apps to sell to consumers worldwide. Explore the
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore at ...1935...
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org     www.immunet.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111221/e36ac5d9/attachment.html>


More information about the Snort-users mailing list