Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New rules keyword error

From: "Marc Quibell" <mquibell () fbfs com>
Date: Fri, 24 Oct 2003 13:08:41 -0500


Take this offline please if you're going to reply.

 I think what you're really telling me is that unlike paid products, Snort
updates are so unreliable that automatically assuming they're safe is unwise.

And I'm trying to tell you that  anything those auto-updates do to my Snort
installation is trivial, and that I do not rely upon Snort to run the business.
It is merely an aide to monitor the network. It can be fixed quite easily.

Why should I not test and analyze Snort rules updates? If I tested every update
ISS sends me, I'd never get them pushed out into the field. I guess maybe that's
why THEY test them first before releasing them. Wow, what a concept. You see,
ISS has customer responsibilities. Snort does not. I rely upon ISS to be safe
and true. I do not rely upon Snort to be the same, but I do know that if there
is a problem, it's easily manageable, and it is not, again, a  show-stopper.
This is why I automated rule updates.

Cheese,
Marc







jeff () snort org on 10/24/2003 11:37:10 AM

To:   Marc Quibell/FBFS@FBFS
cc:   snort-users () lists sourceforge net, frank () knobbe us

Subject:  Re: [Snort-users] New rules keyword error



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What works for a relatively small installation of Snort in many cases
is inappropriate for a large deployment.

Managing tens of sensors, the need to safely manage rule sets on a very
discrete basis becomes quite clear.

- -Jeff

On Friday, October 24, 2003, at 09:49 AM, Marc Quibell wrote:





Message: 2
Subject: Re: [Snort-users] New rules keyword error
From: Frank Knobbe <frank () knobbe us>
To: snort-users () lists sourceforge net
Date: Thu, 23 Oct 2003 13:29:10 -0500




On Thu, 2003-10-23 at 08:57, Marc Quibell wrote:

-I have always Auto-updated Snort. Period.  Never had any problems.



Oh really? You didn't run into problems during the 1.9/2.0 parallel? I
remember that CVS all of the sudden contained rules with strange new
keywords, and Snort barfed promptly. The solution was obviously to
check
out the correct tag and not rely on HEAD. Maybe you got lucky with
tarballs, but I recall there being with those in the past as well.


No. Let me start this out by saying I'm not speaking for anyone else,
not
assuming for anyone else. I usually do not upgrade a product until I
know it's a
stable and necessary upgrade. So I believe in this case, I upgraded
from Snort
1.8.x to 2.0. Now lookie there, my method worked. Any problems with
1.9.X were
avoided.


-I don't pay for this product, it's not a production show-stopper!
So no =

one is

going to fuss about it, or even notice it, if it's out of comminsion
for =

5 mins

or 5 days!



That may be, but that's only you. Don't assume the same for others.


Riiiiight.... I merely stated my experience.


Now, why on Earth would I babysit this product? I can usually fix
any pro=

blem

with rules in a matter of seconds...



Maybe I'm missing context, but IDS's need to be babysit. If you don't,
there may be something wrong with the way to do IDS.


Oh sure, I look at the logs, look for false positives, check to see if
I'm
getting everything, check to see that both are still running...etc.
But like my
other linux products, everything is updated automatically: Nessus,
Snort...etc.
It only makes sense to me, oh well...You do it your way, whatever that
is, and
I'll do it mine. Mine seems to have less problems


No offense, just some food for thought....


I'm still hungry.


Regards,
Frank





-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



- --
Top security experts.  Cutting edge tools, techniques and information.
Tokyo, Japan   November, 2003   http://www.pacsec.jp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/mVU5Eqr8+Gkj0/0RArrhAKCPmYt2YOepy9mTjT49y1pbG9WKmQCdH0Cg
ut9iNuavjmQpBKSxncTHnvY=
=qOy+
-----END PGP SIGNATURE-----







-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: