-----Original Message----- Subject: Re: [Full-disclosure] Snort as IDS/IPS in mission-critical enterprisenetwork
> And check ./contrib on snort, you'll find a ton of ways to automate the rule updates. Bad > idea to let it autonomously update (because if you HUP snort and there's a bad rule, it > dies) .. but easily made into a once-a-week sort of thing. cp /etc/snort/rules/* /home/snort/temprules oinkmaster -c /etc/oinkmaster.conf if [ $? -ne 0 ]; then mail root -s "Update failed" exit 2 fi killall -HUP snort test=`ps -ef |grep snort` if [ "$test" = "" ]; then rm /etc/snort/rules/* cp /home/snort/temprules/* /etc/snort/rules snort -c /etc/snort/snort.conf mail root -s "Houston we have a problem" exit 1 else mail root -s "Update successful" exit 0 fi You, too, can be replaced by a small shell script. :) PaulM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
