[oclug] snort and IDS stuff
bill at strosberg.com
Thu Jun 26 21:33:30 EDT 2003
On Thu, 26 Jun 2003, Dana Webber wrote:
> With Windumbos the virus scanner needs to be updated at least once a day.
> What about snort on Linux?
> What is the best way to keep snort current? The directions are unclear does it
> need to be re-compiled if new rules are added?
Updating the signatures (rules) in Snort does NOT require a re-compile.
Current signatures are always available on the snort web site, and there
are areas for contributors as well. It is possible to have your own
signatures PLUS the Snort sigs in play at once - allowing for site
specific fine tuing i.e. you may want to monitor for something not checked
for in Snort's default rules, but do want everything else.
If you want to create an attack profile, you can write a NASL script (see
www.nessus.org), run the attack and capture the signature in Snort, and
then appy a rule to monitor for it.
Bill Strosberg, CISSP
bill -at- strosberg -dot- com
A computer on every desktop (DOS era)
Where do you want to go today? (98)
Prepare to fly (changed post 9/11 to) Yes, you can! (ME)
Software for the agile business (2000)
It just works (XP)
Doing more with less (2003)
Oops, we lied! (2004)
More information about the OCLUG