From owner-freebsd-security Mon Jul 1 16:36:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C771B37B400 for ; Mon, 1 Jul 2002 16:36:22 -0700 (PDT) Received: from 66-162-33-178.gen.twtelecom.net (66-162-33-178.gen.twtelecom.net [66.162.33.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 611D643E0A for ; Mon, 1 Jul 2002 16:36:22 -0700 (PDT) (envelope-from sfrancis@expertcity.com) Received: from [10.4.2.41] (helo=expertcity.com) by 66-162-33-178.gen.twtelecom.net with esmtp (Exim 3.22 #4) id 17PAiT-0002OM-00; Mon, 01 Jul 2002 16:36:21 -0700 Message-ID: <3D20E7F7.6040807@expertcity.com> Date: Mon, 01 Jul 2002 16:38:31 -0700 From: Steve Francis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: twig les Cc: Steve McGhee , snort-users@lists.sourceforge.net, freebsd-security@freebsd.org Subject: Re: instant snort sigs for new vulnerabilites References: <20020701220138.66193.qmail@web10108.mail.yahoo.com> Content-Type: multipart/alternative; boundary="------------010201040502090703020009" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------010201040502090703020009 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I have this called from cron: #Update rules cd /tmp rm -rf rules /usr/local/bin/wget http://www.snort.org/downloads/snortrules.tar.gz tar -xzf snortrules.tar.gz rm snortrules.tar* mv /tmp/rules/*.rules /usr/local/share/snort # Restart snort (doing it with stop/start restarts the snort-NNNN@NNNN.log # file). /usr/local/etc/rc.d/snort.sh stop >/dev/null if [ -d $ARCHIVE ]; then cd $SNORTLOG mv *-snort.log $ARCHIVE fi /usr/local/etc/rc.d/snort.sh start >/dev/null twig les wrote: >That's a good idea for a quick script that I should >have had done months ago. As soon as I put out the >lastest mystery fire I'll see if I can get a >reasonable little Lynx-based cronjob. > > >--- Steve McGhee wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >> >>with all the fuss lately over the new apache worm, >>etc, id like to know >>if my machine is getting hit (its patched, just >>being curious). i know >>about mod_blowchunks, but im looking for something >>more general.. >> >>it seems to me that snort could see these attacks >>pretty easily. >> >>is there a tool/method out there that will retrieve >>the *latest* snort >>signatures automatically? for those of us not >>running snort via CVS, id >>like a way to do something like cvsup, but _only_ >>update my ruleset >>every night or whatever. >> >>i cc: the freebsd team as this might be a cool >>(simple) port. (something >>like /usr/ports/security/snort-signatures) >> >>this could be helpful to people who are just >>curious, or maybe could >>provide some good numbers to shock lazy sysadmins >>into actually patching >>their machines. >> >> >>..of course, this is all assuming there's someone >>out there writing >>signatures ;) >> >>- -- >>- -steve >> >>~ >> >.......................................................... > >>~ Steve McGhee >>~ Systems Administrator >>~ Linguistic Minority Research Institute >>~ UC Santa Barbara >>~ phone: (805)893-2683 >>~ email: stevem@lmri.ucsb.edu >> >>-----BEGIN PGP SIGNATURE----- >>Version: PGP 6.5.8 >>Comment: Using PGP with Mozilla - >>http://enigmail.mozdev.org >> >> >iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns > >>BcxrxnUpvAJK3Sczy5nY4Ir5 >>=9LCO >>-----END PGP SIGNATURE----- >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of >>the message >> > > >===== >----------------------------------------------------------- >Only fools have all the answers. >----------------------------------------------------------- > >__________________________________________________ >Do You Yahoo!? >Yahoo! - Official partner of 2002 FIFA World Cup >http://fifaworldcup.yahoo.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > --------------010201040502090703020009 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit I have this called from cron:
#Update rules
cd /tmp
rm -rf rules
/usr/local/bin/wget http://www.snort.org/downloads/snortrules.tar.gz
tar -xzf snortrules.tar.gz
rm snortrules.tar*
mv /tmp/rules/*.rules /usr/local/share/snort

# Restart snort (doing it with stop/start restarts the snort-NNNN@NNNN.log
# file).
        /usr/local/etc/rc.d/snort.sh stop >/dev/null
        if [ -d $ARCHIVE ]; then
                cd $SNORTLOG
                mv *-snort.log $ARCHIVE
        fi
        /usr/local/etc/rc.d/snort.sh start >/dev/null

twig les wrote:
That's a good idea for a quick script that I should
have had done months ago.  As soon as I put out the
lastest mystery fire I'll see if I can get a
reasonable little Lynx-based cronjob.


--- Steve McGhee <stevem@lmri.ucsb.edu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


with all the fuss lately over the new apache worm,
etc, id like to know
if my machine is getting hit (its patched, just
being curious). i know
about mod_blowchunks, but im looking for something
more general..

it seems to me that snort could see these attacks
pretty easily.

is there a tool/method out there that will retrieve
the *latest* snort
signatures automatically? for those of us not
running snort via CVS, id
like a way to do something like cvsup, but _only_
update my ruleset
every night or whatever.

i cc: the freebsd team as this might be a cool
(simple) port. (something
like /usr/ports/security/snort-signatures)

this could be helpful to people who are just
curious, or maybe could
provide some good numbers to shock lazy sysadmins
into actually patching
their machines.


..of course, this is all assuming t
here's someone
out there writing
signatures  ;)

- --
- -steve

~ 

..........................................................
~        Steve McGhee
~        Systems Administrator
~        Linguistic Minority Research Institute
~        UC Santa Barbara
~        phone: (805)893-2683
~        email: stevem@lmri.ucsb.edu

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Using PGP with Mozilla -
http://enigmail.mozdev.org


iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns
BcxrxnUpvAJK3Sczy5nY4Ir5
=9LCO
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of
the message


=====
-----------------------------------------------------------
Only fools have all the answers.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

--------------010201040502090703020009-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message