[Snort-users] How do keep update my rules in Snort 2.0 over Windows 2000?

Erek Adams erek at ...950...
Sun Jun 1 23:02:16 EDT 2003


I didn't respond to the original question for various reasons, but I feel
as though I have to respond to this one.

Theres quite a few reasons that doing this can be a _very_ bad thing.  I
won't go into details since they have been discussed here many times.  If
you're curious, please check the archives for 'auto update rules' [0] to
see various discussions.  I will mention some reason:

	*  Fault tolerance
	*  Bad rules
	*  Tuned ruleset

On Sun, 1 Jun 2003, Jon Baer wrote:

[...snip...]

> wget http://www.whitehats.com/ids/vision18.rules.gz

[...snip...]

You might be better off not to use that ruleset.  It hasn't been updated
in quite a while.  None of those rules make use of any of the features
added in later releases.  I didn't do a each and every rule comparison,
but from what I saw, quite a few (if not more) of those rules are already
in the default ruleset.


Now, what you _really_ want is something that's already written.  It's
called Oinkmaster and does it's job quite well.  As much of a fan of
manual rule updates as I am, this is the best tool for that I've seen.  If
you want to have a look at Oinkmaster, it's easily found [1]--And don't
those lil' piggies look cute!?  ;-)

Check the archives and see the arguments.  Make your own choice...  Just
remember "There is no perfect solution."

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0] http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=auto+update+rules&q=b
[1] http://www.algonet.se/~nitzer/oinkmaster/




More information about the Snort-users mailing list