Snort mailing list archives
Re: How do keep update my rules in Snort 2.0 over Windows 2000?
From: Erek Adams <erek () snort org>
Date: Mon, 2 Jun 2003 10:06:38 -0400 (EDT)
On Mon, 2 Jun 2003, Roy S. Rapoport wrote: [...snip...]
Now, in an environment where you have deployed the IDS as a political tool, automatic rule updates are also a political tool. They make it so you essentially A) Lower the overhead of actually managing and updating your IDS; and B) Passing the buck to someone else who'll 'take the fall' if something bad happens. Now, mind you, it's almost a win-win scenario because the person who'll be blamed -- the people who develop Snort rules, say -- can't actually be harmed by some IT guy going "hey, I don't know what happened, I guess they gave us bad rules." There's a potential PR issue, of course.
I understand your points, I just can't agree with them. * Lowering Cost: What would the cost be of a successful breakin due to auto-updated rules be? Lets just say that there was a race condition in the auto-update script, and the rules.tar.gz file was zapped. Now you have "no rules" and since it's automatic the person updating the rules as the good little drone will assume it's working fine... * Passing the buck: Let's look at the reality of the this for a moment. Snort isn't "Symantec Anti-Virus". It doesn't have a "Live Update!" button--Hell, it doesn't even have a GUI! So this auto-updater is some sort of program or script that is written by a third party. If there was a problem that caused a lost file or a munged rule, just how would this be the fault of Snort or Snort rule writers? Go back and read the old discussions on this. You'll find two camps on this issue: Auto and Manual. One thing that Auto-folks sometimes miss is that rule updates can be automated, but to a certain point. You can automate a wget and snag the new copy of the rules, and uncompress/untar them. That's fine. But this is where the manual interaction comes in. At this point is when you examine the rules, one by one if need be. Then and _only_ after you are certain they are ready to be sent out to your sensors. The sending out to the sensors should be automated, but it should be started and controlled by you. I think of auto-updates like an AutoPilot in an airplane. No that's not 'The Autopilot' (Otto) in Airplane [0]. :-) It doesn't land or take off. It just handles the more routine and monotonous tasks. Keeps the plane on course, prepared altitude, turns over control to the pilot when the weather gets bad, warns if there may be a problem ahead, etc. Auto-updates should be like that. Automated except where human intervention is required. No matter how good the program, it can never have the judgment of a real person. Excellent points, by the way. Very sad, but possibly all too true. *sigh* I guess we should all go thank Microsoft for the 'click and drool' mentality people seem to be infected with these days... :-/
(Oh, and s/IDS/Security Policy/g -- I can't tell you how non-amusing it was when I realized that the large Fortune 500 software company with whose internal workings I'm most familiar has had five CIOs in three years *AND* that every single one of them said fairly early in the process "We must have a security policy! Oh, and discard all the work on the security policy that my predecessor had paid for!").
Oh, and that's two penalty drinks [1] for 'Stupid Management Tricks'. ;-) ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://us.imdb.com/Title?0080339 [1] http://www.theadamsfamily.net/~erek/snort/drinking_game.txt ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How do keep update my rules in Snort 2.0 over Windows 2000? Javier Romero (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Jon Baer (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 01)
- RE: How do keep update my rules in Snort 2.0 over Windows 2000? Michael Steele (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Roy S. Rapoport (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Roy S. Rapoport (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Jon Baer (Jun 01)
- <Possible follow-ups>
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Javier Romero (Jun 03)