[Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

Erik Fichtner emf at ...3056...
Wed Jun 8 12:56:42 EDT 2005

On Wed, Jun 08, 2005 at 02:44:28PM -0500, Eric Hines wrote:
> These new SSH signatures brought down all of our customer's Snort
> installations because that SSH_PORTS variable is not in the default
> snort.conf file. 

An alert was posted about requiring the variable a full day before the
rules were posted.

> I can't see anyone needing a variable for SSH port 22. Can
> we kill the variable? 

People who specifically run ssh on nonstandard ports *asked* for the
variable.  They're also the ones that asked for the rules.

> I can't imagine how the AWCC nor any other Snort
> management solution that downloads signatures from the Bleeding-Edge
> database will then go in to the users snort.conf file and create this new
> variable for the user.

vars can be included directly in the .rules files.   If the management
solutions can't handle that, they are buggy.

> The AWCC now downloads signatures from bleeding-edge automatically, I'm sure
> there are other tools that do the same. Will we then expect everyone whose
> maintaining a Snort ruleset management tool to also go in their and add the
> SSH_PORTS variable to the snort.conf file in the case that they downloaded
> Eric's SSH rules?

bleeding-snort disclaims all liability for production difficulties.
Life on the bleeding edge is sometimes perilous.

You should at least look at the deltas before importing them.  You want
the rules to absolutely never crash your snort instance?  fetch them
with the source code tarball.

Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050608/3d8ef594/attachment.sig>

More information about the Snort-sigs mailing list