[Snort-users] How do keep update my rules in Snort 2.0 over Windows 2000?
javierromero at ...5703...
Tue Jun 3 08:24:03 EDT 2003
Thank you for you reply, I appreciate your comments.
But, I just needed keep automatically update my snort to make forensic works. That is, when you have capture with windump, and you quickly want search for attacks in the past.
PD: I agree with you in your comments.
--------- Original Message ---------
DATE: Mon, 2 Jun 2003 01:02:32
From: "Roy S. Rapoport" <snort-users at ...9230...>
To: 'Pig-A-Holics Anonymous' <snort-users at lists.sourceforge.net>
>On Mon, Jun 02, 2003 at 12:05:01AM -0700, Michael Steele wrote:
>> I can never figure out why anyone would leave rule updating to an automated
>Are you guys assuming that the primary purpose of an IDS is to reliably
>detect intrusion attempts and then correctly inform sysadmins? Because
>I don't think that's necessarily the only scenario.
>I've done my time in the Corporate world in a senior management
>position. I've seen more than one case where the goal at installation
>of a product like Snort is not "so we can detect intrusions," but "so we
>can tell the CIO/Shareholders/Auditors/whoever that we have an IDS." In
>other words, this is the IDS as a political, rather than a technical
>Now, in an environment where you have deployed the IDS as a political
>tool, automatic rule updates are also a political tool. They make it so
>you essentially A) Lower the overhead of actually managing and updating
>your IDS; and B) Passing the buck to someone else who'll 'take the fall'
>if something bad happens. Now, mind you, it's almost a win-win scenario
>because the person who'll be blamed -- the people who develop Snort
>rules, say -- can't actually be harmed by some IT guy going "hey, I
>don't know what happened, I guess they gave us bad rules." There's a
>potential PR issue, of course.
>It's not the way *I* run Engineering organizations, but I've seen
>Engineering organizations that were run on the premise that it's better
>to say "We did due diligence to avoid and detect intrusions -- we were
>automatically updating rules and the rules as of the night before the
>intrusion didn't help us" than "we did due diligence to avoid and detect
>intrusions -- we carefully handcrafted and handinspected each rule we
>deployed, and consequently were about six weeks behind the most recent
>ruleset." In some environments, even if the most recent rules wouldn't
>have fixed the problem, the fact that you were "behind the curve" will
>be politically painful to you. And God knows we don't want political
>(Oh, and s/IDS/Security Policy/g -- I can't tell you how non-amusing it
>was when I realized that the large Fortune 500 software company with
>whose internal workings I'm most familiar has had five CIOs in three
>years *AND* that every single one of them said fairly early in the
>process "We must have a security policy! Oh, and discard all the work on
>the security policy that my predecessor had paid for!").
>This SF.net email is sponsored by: eBay
>Get office equipment for less on eBay!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
More information about the Snort-users