Re: DB Rules

[Charles Henrich <henrich () sigbus com>]

> It could work.  But there are a few things about it that I don't like.
>
> 1)  Snort needs to be HUP'ed or restarted to re-load it's rules.  DB can't do
> that, so you'd need to script something.

Snort could/should check timestamps on rule files to do updates automatically,
DB updates could be similar, just ping the DB for all rules that changed in
the last 10 minutes or whatever.

> 2)  Ease of editing.  Now we've got one more layer between your admin and
> the rules.  I can't just 'vi fred.rules' and comment out what I don't want.

Once you learn SQL, it doesnt feel any more difficult to change entries, and
actually you could link excel to the DB and continue to edit them as you would
with VI.

> 3)  One Basket.  Everything goes into a single point of failure.  4)  DB
> Availability.  What happens when net access to the DB goes away?  Outage,
> blip, whatever--There will be times connectivity between them will go awry.

Nothing happens, new rules arent propogated, but existing one's would still be
live..

-Crh

      Charles Henrich                                     henrich () sigbus com

                         http://www.sigbus.com/~henrich

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users