[Snort-users] rules update

Martin Roesch roesch at ...1935...
Mon Nov 19 18:30:03 EST 2001


Since the snort-current rules stuff is just built out of CVS, you could
always to a 'cvs update' and not have to worry about custom local
configuration getting whacked...

     -Marty

Matt Kettler wrote:
> 
> 1) yes, manually over-write them, then restart or SIGHUP your snort daemon.
> Don't forget to check the snort.conf file and update the variables in the
> new one.
> 
> 2) If you were auto-updating signatures, what would happen if someone
> managed to hack the snort rule server and put up an empty signature list..
> you'd be unprotected. Manual install implies some level of quick "is this
> list reasonable" checking on your part.
> 
> Malicious intent aside, how would you sensibly auto-update? the snort.conf
> file needs edits to have your IP address ranges so you can't use the new
> one as-is. Also, the number of .rules files included by snort.conf varies,
> so you can't use your old one.
> 
> Besides all that, the default ruleset is often not exactly what you want. I
> for one have to tweak a few rules out (mostly ICMP ones) or I get flooded,
> and add a few custom rules of my own to local.rules based on the structure
> of the network here. Once you have a feel for snort you'll probably find
> tweaks of your own.
> 
> At 03:09 PM 11/19/2001, you wrote:
> >If I'm to update it manually - what should I do - download it and simply
> >overwrite existing snort rules files?
> >Why I shouldn't update it automatically?
> >(It's good that I shouldn't cause I don't know how :-)
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list