Snort mailing list archives

Snort VRT rules

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Mon, 15 Jun 2009 11:17:12 +1200

Just an FYI and apologies for the cross posting

As many of you are no doubt already well aware the snort rules snap  
shot file is now approaching 100MB and is very slow to down load.

What you may not know is that now that the new snort web site is up  
the snapshot file is no longer being rebuilt every day so you can now  
rely on the http header stuff to decide whether or not to download the  
file.  They also have md5 files which you can check if you are really  
don't trust the http headers.

I am now using -N on wget and have drastically reduced the headaches  
in downloading the VRT rules.

I have my own script that I use for downloading rule files and this  
now works happily with the new set up.

I am happy to share this script if anyone is interested.  It downloads  
and optionally unpacks tarballs.  I use it since I have several  
sensors with different oinkmaster.confs and with the large files I  
unpack them as well - this speeds up the oinkmaster processing  
considerably.

I am also hacking oinkmaster by adding a -k <keep-dir> which tells  
oinkmaster to keep the tarballs in the indicated directory and only  
download them if it really needs to.  As expected this change is non  
trivial as it changes one of the fundamental assumptions about how  
files are downloaded.  That said the code is well structured and  
documented so it is no where near as bad as it could be (Thanks  
Andreas :)

I'm also going to try and get the messages back from the web sessions  
so that you know when you are being excluded by the download limit  
(rather than just getting a 403.

Russell

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort VRT rules Russell Fulton (Jun 14)
- Re: Snort VRT rules Nigel Houghton (Jun 14)
- Re: [Oinkmaster-users] Snort VRT rules Andreas Östling (Jun 15)
- <Possible follow-ups>
- Re: Snort VRT rules Zakai Kinan (Jun 14)
  - Re: Snort VRT rules JJ Cummings (Jun 14)