Snort mailing list archives
Re: New rules keyword error
From: Jeff Nathan <jeff () snort org>
Date: Fri, 24 Oct 2003 12:31:37 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Once upon a time some companies selling Snort-based products and services built their systems to regularly download all the rules from snort.org (via cvs) and enabled every single rule.
As a follow up to the question below, imagine if a rule that fired on every IP packet made it into CVS but was commented out...
Your ACID systems better be sitting inside an ARK if they intend to survive that flood. :)
I'm sure you folks catch my drift. - -Jeff On Thursday, October 23, 2003, at 05:42 PM, John Creegan wrote:
This is exactly what I was thinking. Not hard at all. However, Chris Green has made (for me) a really good point. What if the new ruleset tests fine, snort starts up, and something unique to your (or mine, or anyone's) environment causes a flood of alerts because of new rule(s)? Though I was seriously thinking about creating a script to do just that (I've only been working with snort for the last few months and hadn't gotten that far yet) I can't ignore Chris's question (thanks, Chris!). A flood of alerts due to a new rule isn't something I had thought of, and I wasn't in the archives because I wasn't looking for a solution to a problem. Hmmm... I seem to be learning that the archives are of use for more than just solution-hunting, and can be taken as a sort of compendium of all human, (err, sorry about the "Time Machine" reference there :-) snort knowledge.Andreas Östling <andreaso () it su se> 10/23/03 02:02PM >>>On Thu, 23 Oct 2003, John Creegan wrote:In that script, one could use an instance of snort, even if there's only one box doing IDS, to test the new ruleset (pointing to an alternate ruleset). Snort puts out plenty to know if it didn'tstartbecause of a malformed rule or if there were daemon errors startingupor whatever. If no errors, fold in the new rules and restart the production snort(s). If errors, either go into babysitting mode orwaitfor another day.I think the sollution is extremely simple: 1. Update the rules in whatever way you prefer 2. Run snort -T on the new rules (probably by simply adding -T to your regular snort start command line) 3. If the test is successful, go ahead and restart snort. If the test fails, yell for help and let the current snort process keep running It's usually just a matter of adding one or two lines to your snort init script... /Andreas ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD) "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/mVPtEqr8+Gkj0/0RAuTtAJ9zUK1kA7k8MKaNvlrz+FbS9bmyEACgifV9 vhzipkN1O30qGAeRvbVJkaY= =+5A0 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: New rules keyword error, (continued)
- Re: New rules keyword error Erek Adams (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 23)
- Re: New rules keyword error Frank Knobbe (Oct 23)
- Re: New rules keyword error Josh Berry (Oct 28)
- Re: New rules keyword error Frank Knobbe (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error Jason Haar (Oct 24)
- Re: New rules keyword error Chris Green (Oct 24)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Jeff Nathan (Oct 25)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Jeff Nathan (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Chris Green (Oct 24)