[Snort-sigs] Oinkmaster questions

Russell Fulton r.fulton at ...575...
Mon Jun 9 14:15:16 EDT 2003

On Tue, 2003-06-10 at 07:00, Philip Davidson wrote:
> Hello all,
> Has anyone ever had any problems with letting oinkmaster be fully
> automated?  Some documentation that I have says that it could be
> unreliable for a couple of reasons.  But I am wondering if anyone has
> ever had any problems like snort messing up as a result of full
> automation.

There have been *very* occasional glitches where new rules have trigged
bugs in some configurations.  I have my own equivalent of oinkmaster
(I'm currently dumping it in favour of oinkmaster) and I have had
problems with it barfing on some new rules that it did not know how to
handle.  Oinkmaster is probably more robust in this respect -- it does
not try to be as smart as mine ;-) and is more stable because of it.

The thing to remember is that these problems will only occur when you
are off site and out of touch.  (my last problem of this nature occurred
when I was at the FIRST conference in Hawaii --  just a year ago when
the first rules using byte_test and byte_jump appeared).

What I do is run two systems, one of which is updated automatically and
one of which is updated manually as a back up.  Should the first fail
for whatever reason the other one normally keeps running.  I update the
backup about once a month (or if any particularly significant signatures
are released).  It runs on an older box and drops the odd packet here
and there but is adequate as a backup -- it is my old primary box.

Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the Snort-sigs mailing list