[Snort-users] rule sets on CVS

Bob Van Cleef vancleef at ...211...
Thu Sep 6 09:15:01 EDT 2001


On Wed, 5 Sep 2001, Ramin Alidousti wrote:

> On Wed, Sep 05, 2001 at 05:12:25PM -0700, Bob Van Cleef wrote:
> 
> > I would like to set up a script to routinely download and replace
> > the rule sets.  Has anyone else done so?
> 
> Excuse my paranoia but is it wise to do so? How difficult is it to
> poison such a download? Maybe it's impossible; I've not thought about
> it thoroughly but just the idea of an automatic replacement of such
> an important thing seems scary to me.
> 
> Ramin

It should be relatively easy to verify things.  For one thing, someone
would have to poison the CVS source that everyone is using, which should
be uncovered rather quickly.  

Is there any difference between manually running a CVS update and running
it through a script?  I can't imagine that everyone runs a full suite of
regression tests everytime they update their copy of source from CVS.

Maybe that is the solution, develop some regression tests for snort. But, 
the paranoid would point out the the corrupter would simply need to insure 
that the corrupted version would pass the published regression tests.....



More information about the Snort-users mailing list