[Snort-users] How do keep update my rules in Snort 2.0 over Windows 2000?

Roy S. Rapoport snort-users at ...9230...
Mon Jun 2 00:54:04 EDT 2003


On Mon, Jun 02, 2003 at 12:05:01AM -0700, Michael Steele wrote:
> I can never figure out why anyone would leave rule updating to an automated
> system.

Are you guys assuming that the primary purpose of an IDS is to reliably
detect intrusion attempts and then correctly inform sysadmins?  Because
I don't think that's necessarily the only scenario.

I've done my time in the Corporate world in a senior management
position.  I've seen more than one case where the goal at installation
of a product like Snort is not "so we can detect intrusions," but "so we
can tell the CIO/Shareholders/Auditors/whoever that we have an IDS."  In
other words, this is the IDS as a political, rather than a technical
tool.

Now, in an environment where you have deployed the IDS as a political
tool, automatic rule updates are also a political tool.  They make it so
you essentially A) Lower the overhead of actually managing and updating
your IDS; and B) Passing the buck to someone else who'll 'take the fall'
if something bad happens.  Now, mind you, it's almost a win-win scenario
because the person who'll be blamed -- the people who develop Snort
rules, say -- can't actually be harmed by some IT guy going "hey, I
don't know what happened, I guess they gave us bad rules."  There's a
potential PR issue, of course.

It's not the way *I* run Engineering organizations, but I've seen
Engineering organizations that were run on the premise that it's better
to say "We did due diligence to avoid and detect intrusions -- we were
automatically updating rules and the rules as of the night before the
intrusion didn't help us" than "we did due diligence to avoid and detect
intrusions -- we carefully handcrafted and handinspected each rule we
deployed, and consequently were about six weeks behind the most recent
ruleset."  In some environments, even if the most recent rules wouldn't
have fixed the problem, the fact that you were "behind the curve" will
be politically painful to you.  And God knows we don't want political
pain.

(Oh, and s/IDS/Security Policy/g -- I can't tell you how non-amusing it
was when I realized that the large Fortune 500 software company with
whose internal workings I'm most familiar has had five CIOs in three
years *AND* that every single one of them said fairly early in the
process "We must have a security policy! Oh, and discard all the work on
the security policy that my predecessor had paid for!").

-roy




More information about the Snort-users mailing list