Re: instant snort sigs for new vulnerabilites

["Stefan Dens" <stefan.dens () pandora be>]

Hi,

Well, you can do that with snortcenter, you can adjust rules to your own
network setting and update them from the internet without changing your own
configuration.
The only problem is that snortcenter needs build-in user authentication, if
you want to run it from a cron job with lynx or wget. I will make an option
to disable it for auto-update.
http://users.pandora.be/larc

(Just a remark: if to many people are gone use some sort of auto-update
utility, to fetch the snortrules from the snort website, I'll guess there
bandwidth will be gone. And I know that there is a checksum for the
snortrules file, but it seems to change every hour without there is a change
to the rules.)

Stefan Dens

----- Original Message -----
From: "Steve McGhee" <stevem () lmri ucsb edu>
To: <snort-users () lists sourceforge net>
Cc: <freebsd-security () freebsd org>; <freebsd-ports () freebsd org>
Sent: Monday, July 01, 2002 10:57 PM
Subject: [Snort-users] instant snort sigs for new vulnerabilites


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> with all the fuss lately over the new apache worm, etc, id like to know
> if my machine is getting hit (its patched, just being curious). i know
> about mod_blowchunks, but im looking for something more general..
>
> it seems to me that snort could see these attacks pretty easily.
>
> is there a tool/method out there that will retrieve the *latest* snort
> signatures automatically? for those of us not running snort via CVS, id
> like a way to do something like cvsup, but _only_ update my ruleset
> every night or whatever.
>
> i cc: the freebsd team as this might be a cool (simple) port. (something
> like /usr/ports/security/snort-signatures)
>
> this could be helpful to people who are just curious, or maybe could
> provide some good numbers to shock lazy sysadmins into actually patching
> their machines.
>
>
> ..of course, this is all assuming there's someone out there writing
> signatures  ;)
>
> - --
> - -steve
>
> ~  ..........................................................
> ~        Steve McGhee
> ~        Systems Administrator
> ~        Linguistic Minority Research Institute
> ~        UC Santa Barbara
> ~        phone: (805)893-2683
> ~        email: stevem () lmri ucsb edu
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Using PGP with Mozilla - http://enigmail.mozdev.org
>
> iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns
> BcxrxnUpvAJK3Sczy5nY4Ir5
> =9LCO
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> No, I will not fix your computer.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users