[Snort-sigs] Bleedingsnort.com Daily Update

Hugo van der Kooij hvdkooij at ...481...
Tue Aug 31 22:25:14 EDT 2004


On Tue, 31 Aug 2004, Jose Maria Lopez wrote:

> I have read this message and I would like to know if oinkmaster
> it's really capable of getting the new rules and add them without
> touching the rules I have changed. This could be very important
> for me, because when I install snort to a client they always want
> rules to be updated automatically, but I always need to touch them
> to make a good IDS.
>
> So my question is: are you using oinkmaster to do this work? could
> it do what I want it to do?

No.

Because the moment you change a rule you are out of sync and need to claim
your own ID and not leave the original ID in.

However, if you make sure any rule you change get's it's own unique ID
(say add 4500000 to the ID) you can then disable any changed ID from the
original list as documented in oinkmaster.

But the only way to know if it works is to try it.

And I would never install an IDS with automatic rules like the ones on
bleedingsnort unless you have 24/7 acccess to the system and a
knowledgeable admin.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.




More information about the Snort-sigs mailing list