Snort mailing list archives
Re: New rules keyword error
From: "Marc Quibell" <mquibell () fbfs com>
Date: Fri, 24 Oct 2003 13:08:41 -0500
Take this offline please if you're going to reply. I think what you're really telling me is that unlike paid products, Snort updates are so unreliable that automatically assuming they're safe is unwise. And I'm trying to tell you that anything those auto-updates do to my Snort installation is trivial, and that I do not rely upon Snort to run the business. It is merely an aide to monitor the network. It can be fixed quite easily. Why should I not test and analyze Snort rules updates? If I tested every update ISS sends me, I'd never get them pushed out into the field. I guess maybe that's why THEY test them first before releasing them. Wow, what a concept. You see, ISS has customer responsibilities. Snort does not. I rely upon ISS to be safe and true. I do not rely upon Snort to be the same, but I do know that if there is a problem, it's easily manageable, and it is not, again, a show-stopper. This is why I automated rule updates. Cheese, Marc jeff () snort org on 10/24/2003 11:37:10 AM To: Marc Quibell/FBFS@FBFS cc: snort-users () lists sourceforge net, frank () knobbe us Subject: Re: [Snort-users] New rules keyword error -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What works for a relatively small installation of Snort in many cases is inappropriate for a large deployment. Managing tens of sensors, the need to safely manage rule sets on a very discrete basis becomes quite clear. - -Jeff On Friday, October 24, 2003, at 09:49 AM, Marc Quibell wrote:
Message: 2 Subject: Re: [Snort-users] New rules keyword error From: Frank Knobbe <frank () knobbe us> To: snort-users () lists sourceforge net Date: Thu, 23 Oct 2003 13:29:10 -0500On Thu, 2003-10-23 at 08:57, Marc Quibell wrote:-I have always Auto-updated Snort. Period. Never had any problems.Oh really? You didn't run into problems during the 1.9/2.0 parallel? I remember that CVS all of the sudden contained rules with strange new keywords, and Snort barfed promptly. The solution was obviously to check out the correct tag and not rely on HEAD. Maybe you got lucky with tarballs, but I recall there being with those in the past as well.No. Let me start this out by saying I'm not speaking for anyone else, not assuming for anyone else. I usually do not upgrade a product until I know it's a stable and necessary upgrade. So I believe in this case, I upgraded from Snort 1.8.x to 2.0. Now lookie there, my method worked. Any problems with 1.9.X were avoided.-I don't pay for this product, it's not a production show-stopper! So no =one isgoing to fuss about it, or even notice it, if it's out of comminsion for =5 minsor 5 days!That may be, but that's only you. Don't assume the same for others.Riiiiight.... I merely stated my experience.Now, why on Earth would I babysit this product? I can usually fix any pro=blemwith rules in a matter of seconds...Maybe I'm missing context, but IDS's need to be babysit. If you don't, there may be something wrong with the way to do IDS.Oh sure, I look at the logs, look for false positives, check to see if I'm getting everything, check to see that both are still running...etc. But like my other linux products, everything is updated automatically: Nessus, Snort...etc. It only makes sense to me, oh well...You do it your way, whatever that is, and I'll do it mine. Mine seems to have less problemsNo offense, just some food for thought....I'm still hungry.Regards, Frank------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- Top security experts. Cutting edge tools, techniques and information. Tokyo, Japan November, 2003 http://www.pacsec.jp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/mVU5Eqr8+Gkj0/0RArrhAKCPmYt2YOepy9mTjT49y1pbG9WKmQCdH0Cg ut9iNuavjmQpBKSxncTHnvY= =qOy+ -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: New rules keyword error, (continued)
- Re: New rules keyword error Josh Berry (Oct 28)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error Jason Haar (Oct 24)
- Re: New rules keyword error Chris Green (Oct 24)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Jeff Nathan (Oct 25)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Jeff Nathan (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Chris Green (Oct 24)