Snort mailing list archives

Re: New rules keyword error


From: "John Creegan" <jcreegan () questarweb com>
Date: Thu, 23 Oct 2003 16:42:23 -0500

This is exactly what I was thinking.  Not hard at all.  However, Chris
Green has made (for me) a really good point.  What if the new ruleset
tests fine, snort starts up, and something unique to your (or mine, or
anyone's) environment causes a flood of alerts because of new rule(s)?

Though I was seriously thinking about creating a script to do just that
(I've only been working with snort for the last few months and hadn't
gotten that far yet) I can't ignore Chris's question (thanks, Chris!). 
A flood of alerts due to a new rule isn't something I had thought of,
and I wasn't in the archives because I wasn't looking for a solution to
a problem.

Hmmm... I seem to be learning that the archives are of use for more
than just solution-hunting, and can be taken as a sort of compendium of
all human, (err, sorry about the "Time Machine" reference there :-)
snort knowledge.

Andreas Östling <andreaso () it su se> 10/23/03 02:02PM >>>

On Thu, 23 Oct 2003, John Creegan wrote:

In that script, one could use an instance of snort, even if there's
only one box doing IDS, to test the new ruleset (pointing to an
alternate ruleset).  Snort puts out plenty to know if it didn't
start
because of a malformed rule or if there were daemon errors starting
up
or whatever.  If no errors, fold in the new rules and restart the
production snort(s).  If errors, either go into babysitting mode or
wait
for another day.

I think the sollution is extremely simple:

1. Update the rules in whatever way you prefer
2. Run snort -T on the new rules (probably by simply adding -T to your
   regular snort start command line)
3. If the test is successful, go ahead and restart snort. If the test
   fails, yell for help and let the current snort process keep running

It's usually just a matter of adding one or two lines to your snort
init
script...

/Andreas


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: