Date: Mon, 01 Jul 2002 16:38:31 -0700 From: Steve Francis <sfrancis@expertcity.com> To: twig les <twigles@yahoo.com> Cc: Steve McGhee <stevem@lmri.ucsb.edu>, snort-users@lists.sourceforge.net, freebsd-security@freebsd.org Subject: Re: instant snort sigs for new vulnerabilites Message-ID: <3D20E7F7.6040807@expertcity.com> References: <20020701220138.66193.qmail@web10108.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--------------010201040502090703020009 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I have this called from cron: #Update rules cd /tmp rm -rf rules /usr/local/bin/wget http://www.snort.org/downloads/snortrules.tar.gz tar -xzf snortrules.tar.gz rm snortrules.tar* mv /tmp/rules/*.rules /usr/local/share/snort # Restart snort (doing it with stop/start restarts the snort-NNNN@NNNN.log # file). /usr/local/etc/rc.d/snort.sh stop >/dev/null if [ -d $ARCHIVE ]; then cd $SNORTLOG mv *-snort.log $ARCHIVE fi /usr/local/etc/rc.d/snort.sh start >/dev/null twig les wrote: >That's a good idea for a quick script that I should >have had done months ago. As soon as I put out the >lastest mystery fire I'll see if I can get a >reasonable little Lynx-based cronjob. > > >--- Steve McGhee <stevem@lmri.ucsb.edu> wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >> >>with all the fuss lately over the new apache worm, >>etc, id like to know >>if my machine is getting hit (its patched, just >>being curious). i know >>about mod_blowchunks, but im looking for something >>more general.. >> >>it seems to me that snort could see these attacks >>pretty easily. >> >>is there a tool/method out there that will retrieve >>the *latest* snort >>signatures automatically? for those of us not >>running snort via CVS, id >>like a way to do something like cvsup, but _only_ >>update my ruleset >>every night or whatever. >> >>i cc: the freebsd team as this might be a cool >>(simple) port. (something >>like /usr/ports/security/snort-signatures) >> >>this could be helpful to people who are just >>curious, or maybe could >>provide some good numbers to shock lazy sysadmins >>into actually patching >>their machines. >> >> >>..of course, this is all assuming there's someone >>out there writing >>signatures ;) >> >>- -- >>- -steve >> >>~ >> >.......................................................... > >>~ Steve McGhee >>~ Systems Administrator >>~ Linguistic Minority Research Institute >>~ UC Santa Barbara >>~ phone: (805)893-2683 >>~ email: stevem@lmri.ucsb.edu >> >>-----BEGIN PGP SIGNATURE----- >>Version: PGP 6.5.8 >>Comment: Using PGP with Mozilla - >>http://enigmail.mozdev.org >> >> >iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns > >>BcxrxnUpvAJK3Sczy5nY4Ir5 >>=9LCO >>-----END PGP SIGNATURE----- >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of >>the message >> > > >===== >----------------------------------------------------------- >Only fools have all the answers. >----------------------------------------------------------- > >__________________________________________________ >Do You Yahoo!? >Yahoo! - Official partner of 2002 FIFA World Cup >http://fifaworldcup.yahoo.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > --------------010201040502090703020009 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <html> <head> </head> <body> I have this called from cron:<br> #Update rules<br> cd /tmp<br> rm -rf rules<br> /usr/local/bin/wget <a class="moz-txt-link-freetext" href="http://www.snort.org/downloads/snortrules.tar.gz">http://www.snort.org/downloads/snortrules.tar.gz</a><br>; tar -xzf snortrules.tar.gz<br> rm snortrules.tar*<br> mv /tmp/rules/*.rules /usr/local/share/snort<br> <br> # Restart snort (doing it with stop/start restarts the <a class="moz-txt-link-abbreviated" href="mailto:snort-NNNN@NNNN.log">snort-NNNN@NNNN.log</a><br> # file).<br> /usr/local/etc/rc.d/snort.sh stop >/dev/null<br> if [ -d $ARCHIVE ]; then<br> cd $SNORTLOG<br> mv *-snort.log $ARCHIVE<br> fi<br> /usr/local/etc/rc.d/snort.sh start >/dev/null<br> <br> twig les wrote:<br> <blockquote type="cite" cite="mid:20020701220138.66193.qmail@web10108.mail.yahoo.com"> <pre wrap="">That's a good idea for a quick script that I should<br>have had done months ago. As soon as I put out the<br>lastest mystery fire I'll see if I can get a<br>reasonable little Lynx-based cronjob.<br><br><br>--- Steve McGhee <a class="moz-txt-link-rfc2396E" href="mailto:stevem@lmri.ucsb.edu"><stevem@lmri.ucsb.edu></a> wrote:<br></pre> <blockquote type="cite"> <pre wrap="">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br><br>with all the fuss lately over the new apache worm,<br>etc, id like to know<br>if my machine is getting hit (its patched, just<br>being curious). i know<br>about mod_blowchunks, but im looking for something<br>more general..<br><br>it seems to me that snort could see these attacks<br>pretty easily.<br><br>is there a tool/method out there that will retrieve<br>the *latest* snort<br>signatures automatically? for those of us not<br>running snort via CVS, id<br>like a way to do something like cvsup, but _only_<br>update my ruleset<br>every night or whatever.<br><br>i cc: the freebsd team as this might be a cool<br>(simple) port. (something<br>like /usr/ports/security/snort-signatures)<br><br>this could be helpful to people who are just<br>curious, or maybe could<br>provide some good numbers to shock lazy sysadmins<br>into actually patching<br>their machines.<br><br><br>..of course, this is all assuming t here's someone<br>out there writing<br>signatures ;)<br><br>- --<br>- -steve<br><br>~ <br><br></pre> </blockquote> <pre wrap=""><!---->..........................................................<br></pre> <blockquote type="cite"> <pre wrap="">~ Steve McGhee<br>~ Systems Administrator<br>~ Linguistic Minority Research Institute<br>~ UC Santa Barbara<br>~ phone: (805)893-2683<br>~ email: <a class="moz-txt-link-abbreviated" href="mailto:stevem@lmri.ucsb.edu">stevem@lmri.ucsb.edu</a><br><br>-----BEGIN PGP SIGNATURE-----<br>Version: PGP 6.5.8<br>Comment: Using PGP with Mozilla -<br><a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org">http://enigmail.mozdev.org</a><br><br><br></pre>; </blockquote> <pre wrap=""><!---->iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns<br></pre> <blockquote type="cite"> <pre wrap="">BcxrxnUpvAJK3Sczy5nY4Ir5<br>=9LCO<br>-----END PGP SIGNATURE-----<br><br><br>To Unsubscribe: send mail to <a class="moz-txt-link-abbreviated" href="mailto:majordomo@FreeBSD.org">majordomo@FreeBSD.org</a><br>with "unsubscribe freebsd-security" in the body of<br>the message<br></pre> </blockquote> <pre wrap=""><!----><br><br>=====<br>-----------------------------------------------------------<br>Only fools have all the answers.<br>-----------------------------------------------------------<br><br>__________________________________________________<br>Do You Yahoo!?<br>Yahoo! - Official partner of 2002 FIFA World Cup<br><a class="moz-txt-link-freetext" href="http://fifaworldcup.yahoo.com">http://fifaworldcup.yahoo.com</a><br><br>To Unsubscribe: send mail to <a class="moz-txt-link-abbreviated" href="mailto:majordomo@FreeBSD.org">majordomo@FreeBSD.org</a><br>with "unsubscribe freebsd-security" in the body of the message<br></pre> </blockquote> <br> </body> </html> --------------010201040502090703020009-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D20E7F7.6040807>