[Snort-devel] O Snort development gurus!

Erek Adams erek at ...105...
Thu Oct 3 19:33:07 EDT 2002


On Tue, 1 Oct 2002, Justin Lundy wrote:

> > Did you know that snort reads the rules and "compiles" them into a
> > set of matching rules. Having snort do that every time it gets a packet
> > will not work. It can not reread the snort.conf -> rules files
> > every time and compile them.
>
> This is not what I am suggesting. To clarify, I would like to see a
> feature where snort has the ability to load new rules, reload changed
> rules, and remove rules without requiring a process restart. The action
> would idealy be initiated either a) manually, b) automatically after a
> rule has been modified, or c) automatically after a rule has been added
> or removed from the ruleset. It would *not* occur each time a packet is
> processed. It should only occur in the situations mentioned above.

I understand what you are suggesting, but what you want isn't possible--At
this time.  Donald was right:  ...snort reads the rules and 'compiles' them...
I don't know if you've dug into the code, but due to the way snort works, it
builds the rulelist once when it's started.  (Check FAQ 3.13)

In regards to you 3 cases:

  a--That's how it's done now.
  b and c--Not a Good Thing(tm).  Snort would have to keep track of all the
modify times of each file, compare it to the current time, and then load if
it's different.  IMHO, that's _way_ too much overhead for Snort.  Use an
external program to check the rules, grab them, sanity check them, and then
just add in SIGUP and you're done.  Very similar to Oinkmaster...  I think all
it doesn't do is SIGHUP.

[...snip...]

> The analogy I am drawing here is from Norton Antivirus. The LiveUpdate
> program can be scheduled to automatically check for virus definition
> updates, which in our case would be snort ruleset updates. Having a
> program connect securely to a central ruleset update server, check for
> ruleset updates, and keep statistics would provide useful information
> to Snort developers and the community. We could safely trust Snort to
> keep itself up-to-date with the latest rulesets, and in the event of
> an error it could notify [someone] via email.

I don't think we can ever 'safely trust' anything.  That's why they are all
out to get me.  :)

In regards to the live update:  Why not just wget snortrules-stable.tgz,
uncompress into "new", diff old vs new, and import them?  Again, Oinkmaster
does everything that you seem to be wanting with regards to rule updates and
management.

> Snort is mature enough to be used as an alternative to commercial NIDS
> products in small to medium sized businesses. A handful of people will
> assert that Snort is Enterprise material, and I do not disagree.

Agreed.

> I do on the otherhand feel that before Snort will be accepted as a serious
> and professional alternative to commercial NIDS we will need these and other
> Enterprise grade features available.

*sigh*  Ok, sorry but I translate that into "Snort doesn't have a three click
installer and won't work without changes to the config."  I agree that you
always have to have the pretty charts, pictures and pointy-haired boss toys,
but that's not an 'Enterprise grade feature'.  Almost anything that I would
consider a Enterprise feature could be implemented outside of Snort.  What do
I consider Entrprise grade features?  Multi-Tierd logging, event correlation,
rule syncs for different boxes or 'classes' of boxes, remote management,
remote logging, historical datamining, ability to send pages for certain
alerts.  Every bit of that is doable right now with quite a few opensource
tools.  Granted it takes time to roll your own, but when it's done it's done
exactly the way you want.  You just need to consider how much time (and money
value) vs. how 'perfect' do you want it.

> I have spent two years with snort and see a great deal of potential in the
> ability of the community to develop a superior open-source alternative to
> commercial NIDS. Keep an eye out for the OpenSIG project release.

And it's amazing what a company like SourceFire can do and extend a OpenSource
project...  :)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-devel mailing list