Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DB Rules

From: Tom Sevy <tsevy () epx com>
Date: Sat, 18 Aug 2001 09:27:07 -0400
I wouldn't really be in favor of putting the rules into a DB.  Just my
opinion, but I don't think it adds value to the program.  Nice?  Yes, maybe.
I think this could be achieved with rsync though.

Going off-track from snort itself, does anyone know of an Open Source
message queue?  We had in-house apps that suffered the same problem
(dependent upon connection to DB/SQL Server) and we solved it by putting a
message queue between the App(s) and the database.  So if this is really a
problem (snort hangs when blocked in DB output) then it might be resolved by
an output plugin that writes to a message queue, then another process that
reads the message queue and inserts to the DB.  If there is a block in the
DB, then the writing process will wait, but snort keeps going.


-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Saturday, August 18, 2001 12:06 AM
To: Charles Henrich
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] DB Rules


On Fri, 17 Aug 2001, Charles Henrich wrote:


Snort could/should check timestamps on rule files to do updates

automatically,

DB updates could be similar, just ping the DB for all rules that changed

in

the last 10 minutes or whatever.


See #3 below...


Once you learn SQL, it doesnt feel any more difficult to change entries,

and

actually you could link excel to the DB and continue to edit them as you

would

with VI.


Ummm....  I'm not going to start a religous war, but IMHO using some sort of
M$ product to manage _anything_ dealing with security is just asking for
trouble.  :)  If you're a Windows type person, please feel free, but for the
Unix Bigots(tm), it's a scary thought.  Side note:  I had to maintain an NT
3.51 net for about a year.  After that, I swore it off--It almost killed me.
I still have nightmares...


Nothing happens, new rules arent propogated, but existing one's would

still be

live..


The thing that concerns me is this:  [This may have changed, or is in the
process of it...]  Currently, the db output plugin will block if it can't
connect to the db.  That means that nothing gets processed until it can talk
to the DB again.  This is not a good thing.  I don't like being dependant on
ip-to-ip connectivity for any part of an IDS.  Granted:  This is nit-picky,
but when I'm protecting assets, I feel as though I have to be. :-)  I have
no
urge to tell the Pointy-Haired Boss "Ummm, we didn't see the hacker until it
was too late."  Not very good for job advancement!

On a related note:  There is something similar to this out there already.
Jeff Dell (jdell () activeworx com) has built a rule merger/sorter/pusher for
the
Windows platform.  He's got it secured with scp, and it's a gui.  It might
be
worth a look at http://www.activeworx.com/ for it.  It's called the IDS
Policy
Manager.  It's push instead of pull, but that's a choice for the admins.

Keep those ideas coming!  God, I _love_ opensource!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: