Full Disclosure mailing list archives
RE: Snort as IDS/IPS in mission-critical enterprisenetwork
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 9 Dec 2005 13:15:16 -0500
-----Original Message----- Subject: Re: [Full-disclosure] Snort as IDS/IPS in mission-critical enterprisenetwork
And check ./contrib on snort, you'll find a ton of ways to automate the
rule updates. Bad
idea to let it autonomously update (because if you HUP snort and there's a
bad rule, it
dies) .. but easily made into a once-a-week sort of thing.
cp /etc/snort/rules/* /home/snort/temprules oinkmaster -c /etc/oinkmaster.conf if [ $? -ne 0 ]; then mail root -s "Update failed" exit 2 fi killall -HUP snort test=`ps -ef |grep snort` if [ "$test" = "" ]; then rm /etc/snort/rules/* cp /home/snort/temprules/* /etc/snort/rules snort -c /etc/snort/snort.conf mail root -s "Houston we have a problem" exit 1 else mail root -s "Update successful" exit 0 fi You, too, can be replaced by a small shell script. :) PaulM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Snort as IDS/IPS in mission-critical enterprise network Native.Code (Dec 08)
- Re: Snort as IDS/IPS in mission-critical enterprise network none none (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network c0ntex (Dec 09)
- RE: Snort as IDS/IPS in mission-critical enterprisenetwork Paul Melson (Dec 09)
- New paper on theory of disclosure for security & competitive reasons Peter Swire (Dec 13)
- Re: Snort as IDS/IPS in mission-critical enterprise network coderman (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network c0ntex (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network Michael Holstein (Dec 09)
- RE: Snort as IDS/IPS in mission-critical enterprisenetwork Paul Melson (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprisenetwork Michael Holstein (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network none none (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprisenetwork sk (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network coderman (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network Technica Forensis (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network Native.Code (Dec 11)
- Re: Snort as IDS/IPS in mission-critical enterprise network Mark (Dec 11)