Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (5) →
tomas
tomas
Offline

Updating snort and rules

Resolved
0 votes
Hi All

I have Clear OS 5.2 SP1 set as a gateway with domain, file server, firewall.

Recently I have started thinking about updating snort rules. I have done some reading, I have found that you can update rules manually or by creating a script for automatic updates.

The problem is my Snort version is 2.8.4.1 (Build 38), which is old. It looks like I can't download new rules for that version from Snort.org

Is it safe to update snort to new version?Has anyone tried?Is it affecting webconfig? How to do it? :(

Thank you
In Intrusion Detection and Prevention
Wednesday, February 15 2012, 09:29 AM
Subscribe via email
Share this post:
Responses (5)

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Monday, March 12 2012, 05:04 PM - #Permalink
    Resolved
    0 votes
    Yes I know why. Have a look for the failure message in /var/log/messages. In my combined rules there is a problem rule at 10568 (it may be different in your set up so check your logs). Either comment out the line or remove the bit "distance:0;" from the rule. Then snort will start.
    The reply is currently minimized Show

  • Accepted Answer

    tomas
    tomas
    Offline
    Monday, March 12 2012, 09:31 AM - #Permalink
    Resolved
    0 votes
    Hi

    After last update - Sunday 11/03/12 - Snort doesn't start with new, updated combined.rules. To be able to start the service, I have to disable combined.rules and enable old ones.

    Do you know why?

    Thx
    The reply is currently minimized Show

  • Accepted Answer

    tomas
    tomas
    Offline
    Friday, February 17 2012, 09:39 AM - #Permalink
    Resolved
    0 votes
    Hi

    I have used Nick's script and it's working (thx :) ) - it will do for now till ClearOS 6 is released.

    I have also added firewall rules from Emerging Threats (block C&C servers,block Spamhaus DROP, block Dshield identified Top Attackers) to rc.firewall.local.

    Thank you
    The reply is currently minimized Show

  • Accepted Answer

    Bob Stangarone
    Bob Stangarone
    Offline
    Thursday, February 16 2012, 01:48 AM - #Permalink
    Resolved
    0 votes
    You can update Snort to the latest version...but it is not easy. I don't have any written notes on it, but what I can tell you is that I've not gotten it to work with snortsam.

    If you decide to upgrade, good luck.
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Wednesday, February 15 2012, 10:02 AM - #Permalink
    Resolved
    0 votes
    There is already a script in this forum to update the rules. Search for Emerging Threats
    The reply is currently minimized Show
Your Reply