Snort mailing list archives
Re: DB Rules
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 17 Aug 2001 21:06:11 -0700 (PDT)
On Fri, 17 Aug 2001, Charles Henrich wrote:
Snort could/should check timestamps on rule files to do updates automatically, DB updates could be similar, just ping the DB for all rules that changed in the last 10 minutes or whatever.
See #3 below...
Once you learn SQL, it doesnt feel any more difficult to change entries, and actually you could link excel to the DB and continue to edit them as you would with VI.
Ummm.... I'm not going to start a religous war, but IMHO using some sort of M$ product to manage _anything_ dealing with security is just asking for trouble. :) If you're a Windows type person, please feel free, but for the Unix Bigots(tm), it's a scary thought. Side note: I had to maintain an NT 3.51 net for about a year. After that, I swore it off--It almost killed me. I still have nightmares...
Nothing happens, new rules arent propogated, but existing one's would still be live..
The thing that concerns me is this: [This may have changed, or is in the process of it...] Currently, the db output plugin will block if it can't connect to the db. That means that nothing gets processed until it can talk to the DB again. This is not a good thing. I don't like being dependant on ip-to-ip connectivity for any part of an IDS. Granted: This is nit-picky, but when I'm protecting assets, I feel as though I have to be. :-) I have no urge to tell the Pointy-Haired Boss "Ummm, we didn't see the hacker until it was too late." Not very good for job advancement! On a related note: There is something similar to this out there already. Jeff Dell (jdell () activeworx com) has built a rule merger/sorter/pusher for the Windows platform. He's got it secured with scp, and it's a gui. It might be worth a look at http://www.activeworx.com/ for it. It's called the IDS Policy Manager. It's push instead of pull, but that's a choice for the admins. Keep those ideas coming! God, I _love_ opensource! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Jason Robertson (Aug 19)
- Re: DB Rules Erek Adams (Aug 19)
- Re: DB Rules Jason Robertson (Aug 20)
- Re: DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Chris Green (Aug 17)
- Re: DB Rules Mike Baptiste (Aug 18)
- <Possible follow-ups>
- RE: DB Rules Tom Sevy (Aug 18)
- Re: DB Rules Chris Green (Aug 18)