Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DB Rules

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 17 Aug 2001 21:06:11 -0700 (PDT)
On Fri, 17 Aug 2001, Charles Henrich wrote:


Snort could/should check timestamps on rule files to do updates automatically,
DB updates could be similar, just ping the DB for all rules that changed in
the last 10 minutes or whatever.


See #3 below...


Once you learn SQL, it doesnt feel any more difficult to change entries, and
actually you could link excel to the DB and continue to edit them as you would
with VI.


Ummm....  I'm not going to start a religous war, but IMHO using some sort of
M$ product to manage _anything_ dealing with security is just asking for
trouble.  :)  If you're a Windows type person, please feel free, but for the
Unix Bigots(tm), it's a scary thought.  Side note:  I had to maintain an NT
3.51 net for about a year.  After that, I swore it off--It almost killed me.
I still have nightmares...


Nothing happens, new rules arent propogated, but existing one's would still be
live..


The thing that concerns me is this:  [This may have changed, or is in the
process of it...]  Currently, the db output plugin will block if it can't
connect to the db.  That means that nothing gets processed until it can talk
to the DB again.  This is not a good thing.  I don't like being dependant on
ip-to-ip connectivity for any part of an IDS.  Granted:  This is nit-picky,
but when I'm protecting assets, I feel as though I have to be. :-)  I have no
urge to tell the Pointy-Haired Boss "Ummm, we didn't see the hacker until it
was too late."  Not very good for job advancement!

On a related note:  There is something similar to this out there already.
Jeff Dell (jdell () activeworx com) has built a rule merger/sorter/pusher for the
Windows platform.  He's got it secured with scp, and it's a gui.  It might be
worth a look at http://www.activeworx.com/ for it.  It's called the IDS Policy
Manager.  It's push instead of pull, but that's a choice for the admins.

Keep those ideas coming!  God, I _love_ opensource!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: