[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] Snort as IDS/IPS in mission-critical enterprisenetwork
- To: "'Michael Holstein'" <michael.holstein@xxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: RE: [Full-disclosure] Snort as IDS/IPS in mission-critical enterprisenetwork
- From: "Paul Melson" <pmelson@xxxxxxxxx>
- Date: Fri, 9 Dec 2005 13:15:16 -0500
-----Original Message-----
Subject: Re: [Full-disclosure] Snort as IDS/IPS in mission-critical
enterprisenetwork
> And check ./contrib on snort, you'll find a ton of ways to automate the
rule updates. Bad
> idea to let it autonomously update (because if you HUP snort and there's a
bad rule, it
> dies) .. but easily made into a once-a-week sort of thing.
cp /etc/snort/rules/* /home/snort/temprules
oinkmaster -c /etc/oinkmaster.conf
if [ $? -ne 0 ]; then
mail root -s "Update failed"
exit 2
fi
killall -HUP snort
test=`ps -ef |grep snort`
if [ "$test" = "" ]; then
rm /etc/snort/rules/*
cp /home/snort/temprules/* /etc/snort/rules
snort -c /etc/snort/snort.conf
mail root -s "Houston we have a problem"
exit 1
else
mail root -s "Update successful"
exit 0
fi
You, too, can be replaced by a small shell script. :)
PaulM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/