[Snort-devel] O Snort development gurus!

Justin Lundy jbl at ...314...
Tue Oct 1 22:50:11 EDT 2002


> Did you know that snort reads the rules and "compiles" them into a
> set of matching rules. Having snort do that every time it gets a packet
> will not work. It can not reread the snort.conf -> rules files 
> every time and compile them.

This is not what I am suggesting. To clarify, I would like to see a 
feature where snort has the ability to load new rules, reload changed
rules, and remove rules without requiring a process restart. The action
would idealy be initiated either a) manually, b) automatically after a
rule has been modified, or c) automatically after a rule has been added
or removed from the ruleset. It would *not* occur each time a packet is
processed. It should only occur in the situations mentioned above.

> > similar to Symantec LiveUpdate where Snort would check for
> > updated rulesets and reload them on the fly. I realize that

The analogy I am drawing here is from Norton Antivirus. The LiveUpdate
program can be scheduled to automatically check for virus definition 
updates, which in our case would be snort ruleset updates. Having a 
program connect securely to a central ruleset update server, check for
ruleset updates, and keep statistics would provide useful information 
to Snort developers and the community. We could safely trust Snort to
keep itself up-to-date with the latest rulesets, and in the event of
an error it could notify [someone] via email.

Snort is mature enough to be used as an alternative to commercial NIDS
products in small to medium sized businesses. A handful of people will
assert that Snort is Enterprise material, and I do not disagree. I do
on the otherhand feel that before Snort will be accepted as a serious
and professional alternative to commercial NIDS we will need these and
other Enterprise grade features available. I have spent two years with
snort and see a great deal of potential in the ability of the community
to develop a superior open-source alternative to commercial NIDS. Keep
an eye out for the OpenSIG project release.

[snip]

--jbl




More information about the Snort-devel mailing list