Snort mailing list archives
Re: rules update
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 19 Nov 2001 21:29:03 -0500
Since the snort-current rules stuff is just built out of CVS, you could
always to a 'cvs update' and not have to worry about custom local
configuration getting whacked...
-Marty
Matt Kettler wrote:
1) yes, manually over-write them, then restart or SIGHUP your snort daemon. Don't forget to check the snort.conf file and update the variables in the new one. 2) If you were auto-updating signatures, what would happen if someone managed to hack the snort rule server and put up an empty signature list.. you'd be unprotected. Manual install implies some level of quick "is this list reasonable" checking on your part. Malicious intent aside, how would you sensibly auto-update? the snort.conf file needs edits to have your IP address ranges so you can't use the new one as-is. Also, the number of .rules files included by snort.conf varies, so you can't use your old one. Besides all that, the default ruleset is often not exactly what you want. I for one have to tweak a few rules out (mostly ICMP ones) or I get flooded, and add a few custom rules of my own to local.rules based on the structure of the network here. Once you have a feel for snort you'll probably find tweaks of your own. At 03:09 PM 11/19/2001, you wrote:If I'm to update it manually - what should I do - download it and simply overwrite existing snort rules files? Why I shouldn't update it automatically? (It's good that I shouldn't cause I don't know how :-)_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules update snortlst snortlst (Nov 19)
- Re: rules update Brian (Nov 19)
- Re: rules update snortlst snortlst (Nov 19)
- Re: rules update Matt Kettler (Nov 19)
- Re: rules update Martin Roesch (Nov 19)
- Re: rules update Matt Kettler (Nov 20)
- Re: rules update Jason Haar (Nov 21)
- Re: rules update Martin Roesch (Nov 24)
- Re: rules update snortlst snortlst (Nov 19)
- Re: rules update Brian (Nov 19)