Snort mailing list archives
Re: New rules keyword error
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 24 Oct 2003 09:25:03 +1300
On Thu, Oct 23, 2003 at 09:02:23PM +0200, Andreas Östling wrote:
I think the sollution is extremely simple: 1. Update the rules in whatever way you prefer 2. Run snort -T on the new rules (probably by simply adding -T to your regular snort start command line) 3. If the test is successful, go ahead and restart snort. If the test fails, yell for help and let the current snort process keep running
Yup. I agree with Eric on this one. We got caught by the same issue - I was auto-downloading snort-current instead of snort-stable and suddenly my automated update script started e-mailing me that the download was successful but "corrupt". Upon seeing the e-mails from Eric on the subject I just changed the script over to snort-stable rules and away we go again. Here an automated script downloads the rules file every night, runs it through a totally hand-written shell script of mine (which you are NEVER going to see - what a mess! ;-) that strips out all the rules our company doesn't care for and adds in custom rules/etc. If it's identical to the running config, it exits. If it isn't, it then runs "snort -T" over it, and either e-mails me telling me there are new rules to look over (it sends me the diff), or that an error has occurred. I then look over the diff, and if it seems OK to me, I log into the console and re-run the same script with the "--live" option, and it pushes that new config out to our 8 Snort boxes across our world-wide WAN. Sweet :-) With such a script in place, I don't spends "hours" as is claimed eyeballing the latests config - and I don't end up with IDS systems down due to "corrupt" rules. Speaking of fully automated updates. Anyone here run Anti-virus scanners? Anyone of you had entire servers go down due to "corrupt" updates? Let me answer for you: YES. Even arguably the oldest COMMERCIAL industry to rely on auto-updates still can't get it right 100% of the time - so how can the cutting edge? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Erek Adams (Oct 22)
- <Possible follow-ups>
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Erek Adams (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 23)
- Re: New rules keyword error Frank Knobbe (Oct 23)
- Re: New rules keyword error Josh Berry (Oct 28)
- Re: New rules keyword error Frank Knobbe (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error Jason Haar (Oct 24)
- Re: New rules keyword error Chris Green (Oct 24)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Jeff Nathan (Oct 25)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Jeff Nathan (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Chris Green (Oct 24)