Snort mailing list archives
Re: New rules keyword error
From: "Marc Quibell" <mquibell () fbfs com>
Date: Wed, 22 Oct 2003 15:54:56 -0500
DANG! I thought I WAS getting the stable release! Doh! THanks.. Cheese, Marc On Wed, 22 Oct 2003, Marc Quibell wrote:
Er...What? Auto-updates are only bad if you screw them up, no?
Ummm... No. Auto-updates are bad <period>. <Gratiuitous Princess Bride Reference> "Lemme 'splain." </Gratiuitous Princess Bride Reference> In doing auto-updates, you make an assumption. You assume that the source is 100% perfect and pristine. Now, call me a paranoid person (And they are out to get me!), but unless I can "control" the server I update from... It's not secure, pristine or perfect. I don't trust other people when it comes to something as mission critical as an IDS. Consider this: You have all 100 of your sensors over your enterprise setup to pull from Snort.org for rule updates. You update. There happens to be a corrupt file (hey, it happens). All of your sensors are now screwed. Want to explain that to your boss? "All of our stuff broke because I trusted someone else." Scenario 2: There is a human error on the remote side. Something is introduced into the mix that breaks something on your side. "Well boss, it worked fine until they changed it." Bottom line: I don't trust what I can't control. I auto update from my own 'update' box--That I manually push rules to. I don't know about your shop, but I can't afford the luxury of trust.
Now why were they screwed up? Are you saying that the old nomenclature for "CVS Stable" no longer applies to snort 2.0.x?
Nope. I'm saying you're grabbing the snort-current.tar.gz ruleset. Snort uses a 'normal' development model. -STABLE is just that 'stable'. -CURRENT is the "bleeding edge". Grab the -STABLE ruleset and all should be well. And also remember that the SourceForge CVS servers are about 24-32 hours behind.
Snort is no good w/o auto-updates..no time to babysit processes.
I can't agree with you on that. For something as critical as an IDS, I _make_ time to babysit if need be. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Erek Adams (Oct 22)
- <Possible follow-ups>
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Erek Adams (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 23)
- Re: New rules keyword error Frank Knobbe (Oct 23)
- Re: New rules keyword error Josh Berry (Oct 28)
- Re: New rules keyword error Frank Knobbe (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error Jason Haar (Oct 24)
- Re: New rules keyword error Chris Green (Oct 24)
- Re: New rules keyword error Andreas Östling (Oct 23)
- Re: New rules keyword error John Creegan (Oct 23)
- Re: New rules keyword error Jeff Nathan (Oct 25)
- Re: New rules keyword error Marc Quibell (Oct 24)
(Thread continues...)