[Snort-users] Rule management

Jeff Dell jdell at ...1095...
Tue Nov 27 04:39:03 EST 2001


I have thought about that and I have had a lot of people question me
about the choice of win2k. Well, at the time I started it I had to have
a win2k workstation at my desk, so I just continued to work with it. I
now only work on it on my free time, which is about 5-10 hours a week,
so rewriting it for Linux could take some time. The funny thing is that
I have never used snort with windows. I have always used it with Linux.
Maybe someday I will get off my lazy ass and do something with Linux.

Jeff

> -----Original Message-----
> From: Jason Lewis [mailto:jlewis at ...2449...] 
> Sent: Tuesday, November 27, 2001 7:25 AM
> To: 'Jeff Dell'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Rule management
> 
> 
> I mispoke and I apologize.  I was thinking about IDS Policy 
> Manger and typed IDScenter.  I have used it and it is handy.
> 
> My problem is win2k.  heh  Jeff how about a linux version?  
> Or even something web based?
> 
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
> 
> 
> 
> 
> -----Original Message-----
> From: Jeff Dell [mailto:jdell at ...1095...]
> Sent: Tuesday, November 27, 2001 7:05 AM
> To: jlewis at ...2449...; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Rule management
> 
> 
> 
> I have been working on a tool that does just this: IDS Policy 
> Manager www.activeworx.com. It does complete rule management 
> for Snort. Yes, this tool does reside on Windows 2k, but it 
> handles rules for really any os. One thing it doesn't 
> presently have is automatic rule update. But it does 
> everything else. If that is something that is in high demand, 
> it should be easy enough to do.
> 
> To be honest with you, I watch how often the CVS rules get 
> updated and it only happens about once a week. If you modify 
> your ids sensors more then once a week, it is easy enough to 
> just click a button to merge in the new rules as you are 
> modifying them. This way you know exactly which rules were 
> merged in and if you really want them enabled or not. I 
> personally have a hard time just updating the policy without 
> me knowing what changes have been made.
> 
> Jeff
> 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason 
> > Lewis
> > Sent: Tuesday, November 27, 2001 6:34 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Rule management
> >
> >
> > I was thinking about all the requests for automatic rule 
> updates.  I 
> > think this stems from the anti-virus auto update features.  The 
> > thinking is....the more up to date the sigs are, the better off you 
> > are.
> >
> > What we really need is a rule management tool.  IDScenter 
> does some of 
> > this, but it runs on Win2k.  (You can manage linux sensors too)
> >
> > Is anyone updating a master rule list and pushing updates 
> to sensors?  
> > I have tossed around different ideas for doing this and 
> thought maybe 
> > I could get some feedback here.  I was thinking a directory 
> structure 
> > that had folders for each sensor and rules were updated 
> automatically 
> > via scp. Thoughts?
> >
> > Jason Lewis
> > http://www.packetnexus.com
> > It's not secure "Because they told me it was secure".
> > The people at the other end of the link know less
> > about security than you do. And that's scary.
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/s> nort-users
> >
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 





More information about the Snort-users mailing list