Snort mailing list archives
Re: How do keep update my rules in Snort 2.0 over Windows 2000?
From: Erek Adams <erek () snort org>
Date: Mon, 2 Jun 2003 02:01:31 -0400 (EDT)
I didn't respond to the original question for various reasons, but I feel
as though I have to respond to this one.
Theres quite a few reasons that doing this can be a _very_ bad thing. I
won't go into details since they have been discussed here many times. If
you're curious, please check the archives for 'auto update rules' [0] to
see various discussions. I will mention some reason:
* Fault tolerance
* Bad rules
* Tuned ruleset
On Sun, 1 Jun 2003, Jon Baer wrote:
[...snip...]
wget http://www.whitehats.com/ids/vision18.rules.gz
[...snip...] You might be better off not to use that ruleset. It hasn't been updated in quite a while. None of those rules make use of any of the features added in later releases. I didn't do a each and every rule comparison, but from what I saw, quite a few (if not more) of those rules are already in the default ruleset. Now, what you _really_ want is something that's already written. It's called Oinkmaster and does it's job quite well. As much of a fan of manual rule updates as I am, this is the best tool for that I've seen. If you want to have a look at Oinkmaster, it's easily found [1]--And don't those lil' piggies look cute!? ;-) Check the archives and see the arguments. Make your own choice... Just remember "There is no perfect solution." Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=auto+update+rules&q=b [1] http://www.algonet.se/~nitzer/oinkmaster/ ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How do keep update my rules in Snort 2.0 over Windows 2000? Javier Romero (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Jon Baer (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 01)
- RE: How do keep update my rules in Snort 2.0 over Windows 2000? Michael Steele (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Roy S. Rapoport (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Roy S. Rapoport (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Jon Baer (Jun 01)
- <Possible follow-ups>
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Javier Romero (Jun 03)