[Snort-users] rules update
mkettler at ...4108...
Mon Nov 19 13:13:03 EST 2001
1) yes, manually over-write them, then restart or SIGHUP your snort daemon.
Don't forget to check the snort.conf file and update the variables in the
2) If you were auto-updating signatures, what would happen if someone
managed to hack the snort rule server and put up an empty signature list..
you'd be unprotected. Manual install implies some level of quick "is this
list reasonable" checking on your part.
Malicious intent aside, how would you sensibly auto-update? the snort.conf
file needs edits to have your IP address ranges so you can't use the new
one as-is. Also, the number of .rules files included by snort.conf varies,
so you can't use your old one.
Besides all that, the default ruleset is often not exactly what you want. I
for one have to tweak a few rules out (mostly ICMP ones) or I get flooded,
and add a few custom rules of my own to local.rules based on the structure
of the network here. Once you have a feel for snort you'll probably find
tweaks of your own.
At 03:09 PM 11/19/2001, you wrote:
>If I'm to update it manually - what should I do - download it and simply
>overwrite existing snort rules files?
>Why I shouldn't update it automatically?
>(It's good that I shouldn't cause I don't know how :-)
More information about the Snort-users