[Snort-users] How do keep update my rules in Snort 2.0 over Windows 2000?

Michael Steele michaels at ...9077...
Mon Jun 2 00:06:06 EDT 2003


I can never figure out why anyone would leave rule updating to an automated

I guess I could see it if there was some safeguards in place, but they would
be a LOT of those safeguards that would need to be in place. I still would
prefer to manually doing this rather then all the worrying that it has

Your three examples below are great ones.

The only sure guaranteed method is a manual install and verification.


-Michael Steele
 System Engineer / Security Support Technician     
 mailto:michaels at ...9077...    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Erek Adams
Sent: Sunday, June 01, 2003 11:02 PM
To: Jon Baer
Cc: Pig-A-Holics Anonymous; Javier Romero
Subject: Re: [Snort-users] How do keep update my rules in Snort 2.0 over
Windows 2000?

I didn't respond to the original question for various reasons, but I feel
as though I have to respond to this one.

Theres quite a few reasons that doing this can be a _very_ bad thing.  I
won't go into details since they have been discussed here many times.  If
you're curious, please check the archives for 'auto update rules' [0] to
see various discussions.  I will mention some reason:

	*  Fault tolerance
	*  Bad rules
	*  Tuned ruleset

On Sun, 1 Jun 2003, Jon Baer wrote:


> wget http://www.whitehats.com/ids/vision18.rules.gz


You might be better off not to use that ruleset.  It hasn't been updated
in quite a while.  None of those rules make use of any of the features
added in later releases.  I didn't do a each and every rule comparison,
but from what I saw, quite a few (if not more) of those rules are already
in the default ruleset.

Now, what you _really_ want is something that's already written.  It's
called Oinkmaster and does it's job quite well.  As much of a fan of
manual rule updates as I am, this is the best tool for that I've seen.  If
you want to have a look at Oinkmaster, it's easily found [1]--And don't
those lil' piggies look cute!?  ;-)

Check the archives and see the arguments.  Make your own choice...  Just
remember "There is no perfect solution."


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[1] http://www.algonet.se/~nitzer/oinkmaster/

This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list