[Snort-users] How do keep update my rules in Snort 2.0 over Windows 2000?

Javier Romero javierromero at ...5703...
Tue Jun 3 08:24:03 EDT 2003

Thank you for you reply, I appreciate your comments.

But, I just needed keep automatically update my snort to make forensic works. That is, when you have capture with windump, and you quickly want search for attacks in the past.


PD: I agree with you in your comments.

--------- Original Message ---------

DATE: Mon, 2 Jun 2003 01:02:32 
From: "Roy S. Rapoport" <snort-users at ...9230...>
To: 'Pig-A-Holics Anonymous' <snort-users at lists.sourceforge.net>

>On Mon, Jun 02, 2003 at 12:05:01AM -0700, Michael Steele wrote:
>> I can never figure out why anyone would leave rule updating to an automated
>> system.
>Are you guys assuming that the primary purpose of an IDS is to reliably
>detect intrusion attempts and then correctly inform sysadmins?  Because
>I don't think that's necessarily the only scenario.
>I've done my time in the Corporate world in a senior management
>position.  I've seen more than one case where the goal at installation
>of a product like Snort is not "so we can detect intrusions," but "so we
>can tell the CIO/Shareholders/Auditors/whoever that we have an IDS."  In
>other words, this is the IDS as a political, rather than a technical
>Now, in an environment where you have deployed the IDS as a political
>tool, automatic rule updates are also a political tool.  They make it so
>you essentially A) Lower the overhead of actually managing and updating
>your IDS; and B) Passing the buck to someone else who'll 'take the fall'
>if something bad happens.  Now, mind you, it's almost a win-win scenario
>because the person who'll be blamed -- the people who develop Snort
>rules, say -- can't actually be harmed by some IT guy going "hey, I
>don't know what happened, I guess they gave us bad rules."  There's a
>potential PR issue, of course.
>It's not the way *I* run Engineering organizations, but I've seen
>Engineering organizations that were run on the premise that it's better
>to say "We did due diligence to avoid and detect intrusions -- we were
>automatically updating rules and the rules as of the night before the
>intrusion didn't help us" than "we did due diligence to avoid and detect
>intrusions -- we carefully handcrafted and handinspected each rule we
>deployed, and consequently were about six weeks behind the most recent
>ruleset."  In some environments, even if the most recent rules wouldn't
>have fixed the problem, the fact that you were "behind the curve" will
>be politically painful to you.  And God knows we don't want political
>(Oh, and s/IDS/Security Policy/g -- I can't tell you how non-amusing it
>was when I realized that the large Fortune 500 software company with
>whose internal workings I'm most familiar has had five CIOs in three
>years *AND* that every single one of them said fairly early in the
>process "We must have a security policy! Oh, and discard all the work on
>the security policy that my predecessor had paid for!").
>This SF.net email is sponsored by: eBay
>Get office equipment for less on eBay!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!

More information about the Snort-users mailing list