Snort mailing list archives

Re: New rules keyword error

From: Jeff Nathan <jeff () snort org>
Date: Fri, 24 Oct 2003 12:31:37 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Once upon a time some companies selling Snort-based products andservices built their systems to regularly download all the rules fromsnort.org (via cvs) and enabled every single rule.

As a follow up to the question below, imagine if a rule that fired onevery IP packet made it into CVS but was commented out...

Your ACID systems better be sitting inside an ARK if they intend tosurvive that flood. :)


I'm sure you folks catch my drift.

- -Jeff

On Thursday, October 23, 2003, at 05:42 PM, John Creegan wrote:

This is exactly what I was thinking.  Not hard at all.  However, Chris
Green has made (for me) a really good point.  What if the new ruleset
tests fine, snort starts up, and something unique to your (or mine, or
anyone's) environment causes a flood of alerts because of new rule(s)?

Though I was seriously thinking about creating a script to do just that
(I've only been working with snort for the last few months and hadn't
gotten that far yet) I can't ignore Chris's question (thanks, Chris!).
A flood of alerts due to a new rule isn't something I had thought of,
and I wasn't in the archives because I wasn't looking for a solution to
a problem.

Hmmm... I seem to be learning that the archives are of use for more
than just solution-hunting, and can be taken as a sort of compendium of
all human, (err, sorry about the "Time Machine" reference there :-)
snort knowledge.

Andreas Östling <andreaso () it su se> 10/23/03 02:02PM >>>


On Thu, 23 Oct 2003, John Creegan wrote:

In that script, one could use an instance of snort, even if there's
only one box doing IDS, to test the new ruleset (pointing to an
alternate ruleset).  Snort puts out plenty to know if it didn't

start

because of a malformed rule or if there were daemon errors starting

up

or whatever.  If no errors, fold in the new rules and restart the
production snort(s).  If errors, either go into babysitting mode or

wait

for another day.


I think the sollution is extremely simple:

1. Update the rules in whatever way you prefer
2. Run snort -T on the new rules (probably by simply adding -T to your
   regular snort start command line)
3. If the test is successful, go ahead and restart snort. If the test
   fails, yell for help and let the current snort process keep running

It's usually just a matter of adding one or two lines to your snort
init
script...

/Andreas


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This message (including any attachments) contains confidential
information intended for a specific individual and purpose,
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any
disclosure,copying, or distribution of this message, or the taking
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Great spirits have always encountered violent opposition from
mediocre minds."   - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/mVPtEqr8+Gkj0/0RAuTtAJ9zUK1kA7k8MKaNvlrz+FbS9bmyEACgifV9
vhzipkN1O30qGAeRvbVJkaY=
=+5A0
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: New rules keyword error, (continued)
- - Re: New rules keyword error Erek Adams (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 23)
  - Re: New rules keyword error Frank Knobbe (Oct 23)
    - Re: New rules keyword error Josh Berry (Oct 28)
- Re: New rules keyword error John Creegan (Oct 23)
  - Re: New rules keyword error Andreas Östling (Oct 23)
    - Re: New rules keyword error Jason Haar (Oct 24)
  - Re: New rules keyword error Chris Green (Oct 24)
- Re: New rules keyword error John Creegan (Oct 23)
  - Re: New rules keyword error Jeff Nathan (Oct 25)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
  - Re: New rules keyword error Jeff Nathan (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
  - Re: New rules keyword error Chris Green (Oct 24)