[Snort-devel] O Snort development gurus!

Smith, Donald Donald.Smith at ...530...
Wed Oct 2 07:45:03 EDT 2002

Donald.Smith at ...530... GCIA
QIS/WWN Security
303-226-9939 Office
720-320-1537 cell

> -----Original Message-----
> From: Justin Lundy [mailto:jbl at ...314...]
> Sent: Tuesday, October 01, 2002 11:50 PM
> To: snort-devel at lists.sourceforge.net
> Cc: Donald.Smith at ...530...; syabbast at ...398...
> Subject: Re: [Snort-devel] O Snort development gurus!
> > Did you know that snort reads the rules and "compiles" them into a
> > set of matching rules. Having snort do that every time it 
> gets a packet
> > will not work. It can not reread the snort.conf -> rules files 
> > every time and compile them.
> This is not what I am suggesting. To clarify, I would like to see a 
> feature where snort has the ability to load new rules, reload changed
> rules, and remove rules without requiring a process restart.

What about all the preprocessors and other plugins would they be restarted?
Should they be if the rules have been recompiled?
Would you close all the open files (includeing the pcap stuff) or just
recompile the rules?
> The action
> would idealy be initiated either a) manually, b) automatically after a
> rule has been modified, or c) automatically after a rule has 
> been added
> or removed from the ruleset. It would *not* occur each time a 
> packet is
> processed. It should only occur in the situations mentioned above.
Well monitering the 33 rule files might be a bit much how about a specific
NEW rule
check done (daily | hourly |...?)
> > > similar to Symantec LiveUpdate where Snort would check for
> > > updated rulesets and reload them on the fly. I realize that
> The analogy I am drawing here is from Norton Antivirus. The LiveUpdate
> program can be scheduled to automatically check for virus definition 
> updates, which in our case would be snort ruleset updates. Having a 
> program connect securely to a central ruleset update server, check for
> ruleset updates, and keep statistics would provide useful information 
> to Snort developers and the community. We could safely trust Snort to
> keep itself up-to-date with the latest rulesets, and in the event of
> an error it could notify [someone] via email.
Ok thats mostly all do able today with out puting it "in" snort.
> Snort is mature enough to be used as an alternative to commercial NIDS
> products in small to medium sized businesses. A handful of people will
> assert that Snort is Enterprise material, and I do not disagree. I do
> on the otherhand feel that before Snort will be accepted as a serious
> and professional alternative to commercial NIDS we will need these and
> other Enterprise grade features available. I have spent two years with
> snort and see a great deal of potential in the ability of the 
> community
> to develop a superior open-source alternative to commercial NIDS. Keep
> an eye out for the OpenSIG project release.
OpenSIG?? sounds interesting.

> [snip]
> --jbl

More information about the Snort-devel mailing list