RE: How do keep update my rules in Snort 2.0 over Windows 2000?

["Michael Steele" <michaels () winsnort com>]

Erek,

I can never figure out why anyone would leave rule updating to an automated
system.

I guess I could see it if there was some safeguards in place, but they would
be a LOT of those safeguards that would need to be in place. I still would
prefer to manually doing this rather then all the worrying that it has
failed.

Your three examples below are great ones.

The only sure guaranteed method is a manual install and verification.

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Erek Adams
Sent: Sunday, June 01, 2003 11:02 PM
To: Jon Baer
Cc: Pig-A-Holics Anonymous; Javier Romero
Subject: Re: [Snort-users] How do keep update my rules in Snort 2.0 over
Windows 2000?


I didn't respond to the original question for various reasons, but I feel
as though I have to respond to this one.

Theres quite a few reasons that doing this can be a _very_ bad thing.  I
won't go into details since they have been discussed here many times.  If
you're curious, please check the archives for 'auto update rules' [0] to
see various discussions.  I will mention some reason:

        *  Fault tolerance
        *  Bad rules
        *  Tuned ruleset

On Sun, 1 Jun 2003, Jon Baer wrote:

[...snip...]

> wget http://www.whitehats.com/ids/vision18.rules.gz

[...snip...]

You might be better off not to use that ruleset.  It hasn't been updated
in quite a while.  None of those rules make use of any of the features
added in later releases.  I didn't do a each and every rule comparison,
but from what I saw, quite a few (if not more) of those rules are already
in the default ruleset.


Now, what you _really_ want is something that's already written.  It's
called Oinkmaster and does it's job quite well.  As much of a fan of
manual rule updates as I am, this is the best tool for that I've seen.  If
you want to have a look at Oinkmaster, it's easily found [1]--And don't
those lil' piggies look cute!?  ;-)

Check the archives and see the arguments.  Make your own choice...  Just
remember "There is no perfect solution."

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]
http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=auto+update+rules&q=b
[1] http://www.algonet.se/~nitzer/oinkmaster/


-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users