Snort mailing list archives

RE: Rule management

From: "Jeff Dell" <jdell () activeworx com>
Date: Tue, 27 Nov 2001 07:40:11 -0500


I have thought about that and I have had a lot of people question me
about the choice of win2k. Well, at the time I started it I had to have
a win2k workstation at my desk, so I just continued to work with it. I
now only work on it on my free time, which is about 5-10 hours a week,
so rewriting it for Linux could take some time. The funny thing is that
I have never used snort with windows. I have always used it with Linux.
Maybe someday I will get off my lazy ass and do something with Linux.

Jeff

-----Original Message-----
From: Jason Lewis [mailto:jlewis () packetnexus com] 
Sent: Tuesday, November 27, 2001 7:25 AM
To: 'Jeff Dell'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Rule management

I mispoke and I apologize.  I was thinking about IDS Policy 
Manger and typed IDScenter.  I have used it and it is handy.

My problem is win2k.  heh  Jeff how about a linux version?  
Or even something web based?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.

-----Original Message-----
From: Jeff Dell [mailto:jdell () activeworx com]
Sent: Tuesday, November 27, 2001 7:05 AM
To: jlewis () packetnexus com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Rule management

I have been working on a tool that does just this: IDS Policy 
Manager www.activeworx.com. It does complete rule management 
for Snort. Yes, this tool does reside on Windows 2k, but it 
handles rules for really any os. One thing it doesn't 
presently have is automatic rule update. But it does 
everything else. If that is something that is in high demand, 
it should be easy enough to do.

To be honest with you, I watch how often the CVS rules get 
updated and it only happens about once a week. If you modify 
your ids sensors more then once a week, it is easy enough to 
just click a button to merge in the new rules as you are 
modifying them. This way you know exactly which rules were 
merged in and if you really want them enabled or not. I 
personally have a hard time just updating the policy without 
me knowing what changes have been made.

Jeff

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason 
Lewis
Sent: Tuesday, November 27, 2001 6:34 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Rule management


I was thinking about all the requests for automatic rule

updates.  I

think this stems from the anti-virus auto update features.  The 
thinking is....the more up to date the sigs are, the better off you 
are.

What we really need is a rule management tool.  IDScenter

does some of

this, but it runs on Win2k.  (You can manage linux sensors too)

Is anyone updating a master rule list and pushing updates

to sensors?

I have tossed around different ideas for doing this and

thought maybe

I could get some feedback here.  I was thinking a directory

structure

that had folders for each sensor and rules were updated

automatically

via scp. Thoughts?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule management Jason Lewis (Nov 27)
- RE: Rule management Jeff Dell (Nov 27)
  - RE: Rule management Jason Lewis (Nov 27)
    - RE: Rule management Jeff Dell (Nov 27)
    - Re: Rule management Michael Boman (Nov 27)
    - Re: Snort Wizard comming soon! Alex Rodrigues (Nov 27)
    - Re: Re: Snort Wizard comming soon! Guillaume (Nov 27)
    - Re: Snort Wizard comming soon! Alex Rodrigues (Nov 27)
- Re: Rule management Gustav (Nov 27)
- Re: Rule management Jason Haar (Nov 27)
- Re: Rule management Matthias Hofherr (Nov 28)
  - Re: Rule management Blake Frantz (Nov 28)
    - Re: Rule management Matthias Hofherr (Nov 28)
- <Possible follow-ups>
- Rule management larc (Nov 28)

(Thread continues...)