[Snort-users] Checking snort rules date and Pulledpork status

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Wed May 30 12:28:23 EDT 2012


>> Hi,
>> Is it possible to gather release date from snortrules-snapshot tar file
via standard tools. We use snort for distributed monitoring and need to
setup a central update scheme. I thought about setting up a script that
updates snort-rules (via pulledpork) only if the rule file is newer than
the current ruleset. Alternatively, is there a way by which we can tell the
signature release date of the current snort-signature set loaded into snort?

>We publish the md5 of the ruleset.  PulledPork checks this md5 on our
website against the last md5 you downloaded and if they are different, then
it downloads the new rule pack.  So, your request is already taken care of.

But what if I don't have internet access and use pulledpork with -n option?
Also supposing I copy an older file into tmp, then pulledpork would not
know that this file is older than the ruleset that is currently applicable
and still process it. Maybe we can have versions (by date) for rulesets and
those can be queried using the snort commandline tool?

>> Also is pulledpork still under active development considering the fact
that the last release (on code homepage) was over a year ago?

> Yes, very much.  Pull the git master if you want the active devel
version.  But yes.  JJ is building new features into it to support some of
the upcoming features of Snort.

Thanks for that info



-- 
To iterate is human.To recurse, divine!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120530/66bd4b9c/attachment.html>


More information about the Snort-users mailing list