Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort as IDS/IPS in mission-critical enterprisenetwork

From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 9 Dec 2005 13:15:16 -0500
-----Original Message-----
Subject: Re: [Full-disclosure] Snort as IDS/IPS in mission-critical
enterprisenetwork


And check ./contrib on snort, you'll find a ton of ways to automate the

rule updates. Bad 

idea to let it autonomously update (because if you HUP snort and there's a

bad rule, it 

dies) .. but easily made into a once-a-week sort of thing.



cp /etc/snort/rules/* /home/snort/temprules
oinkmaster -c /etc/oinkmaster.conf
if [ $? -ne 0 ]; then
  mail root -s "Update failed"
  exit 2
fi
killall -HUP snort
test=`ps -ef |grep snort`
if [ "$test" = "" ]; then
  rm /etc/snort/rules/*
  cp /home/snort/temprules/* /etc/snort/rules
  snort -c /etc/snort/snort.conf
  mail root -s "Houston we have a problem"
  exit 1
else
  mail root -s "Update successful"
  exit 0
fi


You, too, can be replaced by a small shell script. :)


PaulM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: