Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New rules keyword error

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 24 Oct 2003 09:25:03 +1300
On Thu, Oct 23, 2003 at 09:02:23PM +0200, Andreas Östling wrote:

I think the sollution is extremely simple:

1. Update the rules in whatever way you prefer
2. Run snort -T on the new rules (probably by simply adding -T to your
   regular snort start command line)
3. If the test is successful, go ahead and restart snort. If the test
   fails, yell for help and let the current snort process keep running



Yup. I agree with Eric on this one. We got caught by the same issue - I was
auto-downloading snort-current instead of snort-stable and suddenly my
automated update script started e-mailing me that the download was
successful but "corrupt". Upon seeing the e-mails from Eric on the subject I
just changed the script over to snort-stable rules and away we go again.

Here an automated script downloads the rules file every night, runs it
through a totally hand-written shell script of mine (which you are NEVER
going to see - what a mess! ;-) that strips out all the rules our company
doesn't care for and adds in custom rules/etc. If it's identical to the
running config, it exits. If it isn't, it then runs "snort -T" over it, and
either e-mails me telling me there are new rules to look over (it sends me
the diff), or that an error has occurred. I then look over the diff, and if
it seems OK to me, I log into the console and re-run the same script with
the "--live" option, and it pushes that new config out to our 8 Snort boxes
across our world-wide WAN. Sweet :-)

With such a script in place, I don't spends "hours" as is claimed eyeballing
the latests config - and I don't end up with IDS systems down due to
"corrupt" rules.

Speaking of fully automated updates. Anyone here run Anti-virus scanners?
Anyone of you had entire servers go down due to "corrupt" updates? Let me
answer for you: YES.

Even arguably the oldest COMMERCIAL industry to rely on auto-updates still
can't get it right 100% of the time - so how can the cutting edge?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: