[Snort-users] How do keep update my rules in Snort 2.0 over Windows 2000?

Javier Romero javierromero at ...5703...
Tue Jun 3 08:24:03 EDT 2003


Thank you for you reply, I appreciate your comments.

But, I just needed keep automatically update my snort to make forensic works. That is, when you have capture with windump, and you quickly want search for attacks in the past.

Javier

PD: I agree with you in your comments.
--

--------- Original Message ---------

DATE: Mon, 2 Jun 2003 01:02:32 
From: "Roy S. Rapoport" <snort-users at ...9230...>
To: 'Pig-A-Holics Anonymous' <snort-users at lists.sourceforge.net>
Cc: 

>On Mon, Jun 02, 2003 at 12:05:01AM -0700, Michael Steele wrote:
>> I can never figure out why anyone would leave rule updating to an automated
>> system.
>
>Are you guys assuming that the primary purpose of an IDS is to reliably
>detect intrusion attempts and then correctly inform sysadmins?  Because
>I don't think that's necessarily the only scenario.
>
>I've done my time in the Corporate world in a senior management
>position.  I've seen more than one case where the goal at installation
>of a product like Snort is not "so we can detect intrusions," but "so we
>can tell the CIO/Shareholders/Auditors/whoever that we have an IDS."  In
>other words, this is the IDS as a political, rather than a technical
>tool.
>
>Now, in an environment where you have deployed the IDS as a political
>tool, automatic rule updates are also a political tool.  They make it so
>you essentially A) Lower the overhead of actually managing and updating
>your IDS; and B) Passing the buck to someone else who'll 'take the fall'
>if something bad happens.  Now, mind you, it's almost a win-win scenario
>because the person who'll be blamed -- the people who develop Snort
>rules, say -- can't actually be harmed by some IT guy going "hey, I
>don't know what happened, I guess they gave us bad rules."  There's a
>potential PR issue, of course.
>
>It's not the way *I* run Engineering organizations, but I've seen
>Engineering organizations that were run on the premise that it's better
>to say "We did due diligence to avoid and detect intrusions -- we were
>automatically updating rules and the rules as of the night before the
>intrusion didn't help us" than "we did due diligence to avoid and detect
>intrusions -- we carefully handcrafted and handinspected each rule we
>deployed, and consequently were about six weeks behind the most recent
>ruleset."  In some environments, even if the most recent rules wouldn't
>have fixed the problem, the fact that you were "behind the curve" will
>be politically painful to you.  And God knows we don't want political
>pain.
>
>(Oh, and s/IDS/Security Policy/g -- I can't tell you how non-amusing it
>was when I realized that the large Fortune 500 software company with
>whose internal workings I'm most familiar has had five CIOs in three
>years *AND* that every single one of them said fairly early in the
>process "We must have a security policy! Oh, and discard all the work on
>the security policy that my predecessor had paid for!").
>
>-roy
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: eBay
>Get office equipment for less on eBay!
>http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005




More information about the Snort-users mailing list