Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New rules keyword error

From: Erek Adams <erek () snort org>
Date: Wed, 22 Oct 2003 16:29:12 -0400 (EDT)
On Wed, 22 Oct 2003, Marc Quibell wrote:


Er...What?

Auto-updates are only bad if you screw them up, no?


Ummm...  No.  Auto-updates are bad <period>.

<Gratiuitous Princess Bride Reference>

  "Lemme 'splain."

</Gratiuitous Princess Bride Reference>

In doing auto-updates, you make an assumption.  You assume that the source
is 100% perfect and pristine.  Now, call me a paranoid person (And they
are out to get me!), but unless I can "control" the server I update
from...  It's not secure, pristine or perfect.  I don't trust other people
when it comes to something as mission critical as an IDS.

Consider this:  You have all 100 of your sensors over your enterprise
setup to pull from Snort.org for rule updates.  You update.  There happens
to be a corrupt file (hey, it happens).  All of your sensors are now
screwed.  Want to explain that to your boss?  "All of our stuff broke
because I trusted someone else."

Scenario 2:  There is a human error on the remote side.  Something is
introduced into the mix that breaks something on your side.  "Well boss,
it worked fine until they changed it."

Bottom line:  I don't trust what I can't control.  I auto update from my
own 'update' box--That I manually push rules to.  I don't know about your
shop, but I can't afford the luxury of trust.


Now why were they screwed up? Are you saying that the old nomenclature
for "CVS Stable" no longer applies to snort 2.0.x?


Nope.  I'm saying you're grabbing the snort-current.tar.gz ruleset.  Snort
uses a 'normal' development model.  -STABLE is just that 'stable'.
-CURRENT is the "bleeding edge".  Grab the -STABLE ruleset and all should
be well.  And also remember that the SourceForge CVS servers are about
24-32 hours behind.


Snort is no good w/o auto-updates..no time to babysit processes.


I can't agree with you on that.  For something as critical as an IDS, I
_make_ time to babysit if need be.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: