[Snort-users] How do keep update my rules in Snort 2.0 over Windows 2000?
erek at ...950...
Sun Jun 1 23:02:16 EDT 2003
I didn't respond to the original question for various reasons, but I feel
as though I have to respond to this one.
Theres quite a few reasons that doing this can be a _very_ bad thing. I
won't go into details since they have been discussed here many times. If
you're curious, please check the archives for 'auto update rules'  to
see various discussions. I will mention some reason:
* Fault tolerance
* Bad rules
* Tuned ruleset
On Sun, 1 Jun 2003, Jon Baer wrote:
> wget http://www.whitehats.com/ids/vision18.rules.gz
You might be better off not to use that ruleset. It hasn't been updated
in quite a while. None of those rules make use of any of the features
added in later releases. I didn't do a each and every rule comparison,
but from what I saw, quite a few (if not more) of those rules are already
in the default ruleset.
Now, what you _really_ want is something that's already written. It's
called Oinkmaster and does it's job quite well. As much of a fan of
manual rule updates as I am, this is the best tool for that I've seen. If
you want to have a look at Oinkmaster, it's easily found --And don't
those lil' piggies look cute!? ;-)
Check the archives and see the arguments. Make your own choice... Just
remember "There is no perfect solution."
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users