[Snort-users] rules update

Matt Kettler mkettler at ...4108...
Mon Nov 19 13:13:03 EST 2001


1) yes, manually over-write them, then restart or SIGHUP your snort daemon. 
Don't forget to check the snort.conf file and update the variables in the 
new one.

2) If you were auto-updating signatures, what would happen if someone 
managed to hack the snort rule server and put up an empty signature list.. 
you'd be unprotected. Manual install implies some level of quick "is this 
list reasonable" checking on your part.

Malicious intent aside, how would you sensibly auto-update? the snort.conf 
file needs edits to have your IP address ranges so you can't use the new 
one as-is. Also, the number of .rules files included by snort.conf varies, 
so you can't use your old one.

Besides all that, the default ruleset is often not exactly what you want. I 
for one have to tweak a few rules out (mostly ICMP ones) or I get flooded, 
and add a few custom rules of my own to local.rules based on the structure 
of the network here. Once you have a feel for snort you'll probably find 
tweaks of your own.


At 03:09 PM 11/19/2001, you wrote:
>If I'm to update it manually - what should I do - download it and simply
>overwrite existing snort rules files?
>Why I shouldn't update it automatically?
>(It's good that I shouldn't cause I don't know how :-)





More information about the Snort-users mailing list