Snort doc/signatures & rules update
How are you currently updating your /doc/signatures folder?
Both the community rules and the "official" rules.
(Bleedingsnort doesn't have /doc/signature files yet.)
My update just seems to be a real pain and I'm sure there has to be an easier way.
I've hacked together a script to do the following:
I have a script file that I've created to use oinkmaster to download the delayed snort rules (behind by 5 days), snort.org community rules, bleeding snort rules and the blackhole-dns rules.
Oinkmaster enables/disabled certain rules that are enabled/disabled by default and enables/disables them based on my environment. I get quite a few false positives due to the placement of the sensor.
It has been finely tuned for quite a while now and I RARELY see any false positives anymore.
I then have the script merging all *.map files into the main sid-msg.map file. (Can other .map files be included in the snort.conf file to avoid this step?)
Then I have the file(s) that was downloaded extracted and the /doc/signatures files is copied into the /snort/doc/signatures folder.
Right now, it all works... so, my script does what I need it to... I was just thinking that there has to be an easier way.
How do you manage your rules updates and docs updates?
Are you using any other rules other than custom created rules that I mentioned above?
If so, from where and are they public?