Re: DB Rules

[Erek Adams <erek () theadamsfamily net>]

On Fri, 17 Aug 2001, Charles Henrich wrote:

> It would be really cool if snort could read its rulesets from the database
> source.  That way remote sensors who are talking directly to the central DB
> server could get immediate rule updates, and make administration of a snort
> network much easier.. (IMHO).  Whacha think?

It could work.  But there are a few things about it that I don't like.

1)  Snort needs to be HUP'ed or restarted to re-load it's rules.  DB can't do
that, so you'd need to script something.
2)  Ease of editing.  Now we've got one more layer between your admin and the
rules.  I can't just 'vi fred.rules' and comment out what I don't want.
3)  One Basket.  Everything goes into a single point of failure.
4)  DB Availability.  What happens when net access to the DB goes away?
Outage, blip, whatever--There will be times connectivity between them will go
awry.

Personally, I simply use ssh/scp and a shell script.  It allows me to push new
rules, .conf files, new versions, etc. to each sensor without resorting to
logging into them.  Again, this is my opinion only!

This is kinda like the "Tomato or Tamato" debate.  :)  If it works for you, do
it!  If not, make something that will work for you.

Later!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users