[Snort-users] rule database

Gregor Binder gbinder at ...462...
Wed Mar 14 06:35:28 EST 2001


Roeland Weve on Wed, Mar 14, 2001 at 11:56:06AM +0100:

Roeland,

> But now I'm having troubles with the rules database. When I will finish
> the project, almost everything must go automaticly.
> Two reasons: I will leave and nobody else has the time to mantain it
> everyday.

just my personal opinion, if nobody in this company understands the NIDS,
or is willing to learn about it, you might as well not run one at all. It
will probably confuse them more than it will help.

If there is no one to maintain the NIDS, I take it there is no one to
determine the actual impact of an alert either? A lot of rules will
match actual (severe) attacks and false positives (matching NOOPs for
example), and if you leave all those out, you might miss a lot of
things.

> I can remove the non-important rules from the database and let Snort run
> on a machine and if there is suspicious hack attempt,
> the machine must warn somebody that an intruder is trying to hack (I'll
> have to implement this, somebody has any ideas on this point?).

Since you will have very few entries in your logs if you eliminate
everything that could possible produce a false positive, just mail your
alert log from cron if it's non-zero and delete it :)

> How can I automatic add rules, that are important enough to warn
> somebody, to the database?

As you have specific requirements, it probably can't be done easily
(and work for a long time), besides not being a very good idea according
to (I think) the majority of NIDS operators. If you want to do it anyway
use wget with the rule categories you want to retrieve:

http://www.snort.org/Database/rules_results.asp?type=RULE_CAT&port=&keyword=&thedate=

Substitute RULE_CAT with whatever type you think would be appropriate
for your environment, see the snort homepage for available rule types.

EUR.02, Regards,

  Gregor.

-- 
Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany         TEL +49-40-63647482
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list