Snort mailing list archives
Re: How do keep update my rules in Snort 2.0 over Windows 2000?
From: "Roy S. Rapoport" <snort-users () ols inorganic org>
Date: Mon, 2 Jun 2003 01:02:32 -0700
On Mon, Jun 02, 2003 at 12:05:01AM -0700, Michael Steele wrote:
I can never figure out why anyone would leave rule updating to an automated system.
Are you guys assuming that the primary purpose of an IDS is to reliably detect intrusion attempts and then correctly inform sysadmins? Because I don't think that's necessarily the only scenario. I've done my time in the Corporate world in a senior management position. I've seen more than one case where the goal at installation of a product like Snort is not "so we can detect intrusions," but "so we can tell the CIO/Shareholders/Auditors/whoever that we have an IDS." In other words, this is the IDS as a political, rather than a technical tool. Now, in an environment where you have deployed the IDS as a political tool, automatic rule updates are also a political tool. They make it so you essentially A) Lower the overhead of actually managing and updating your IDS; and B) Passing the buck to someone else who'll 'take the fall' if something bad happens. Now, mind you, it's almost a win-win scenario because the person who'll be blamed -- the people who develop Snort rules, say -- can't actually be harmed by some IT guy going "hey, I don't know what happened, I guess they gave us bad rules." There's a potential PR issue, of course. It's not the way *I* run Engineering organizations, but I've seen Engineering organizations that were run on the premise that it's better to say "We did due diligence to avoid and detect intrusions -- we were automatically updating rules and the rules as of the night before the intrusion didn't help us" than "we did due diligence to avoid and detect intrusions -- we carefully handcrafted and handinspected each rule we deployed, and consequently were about six weeks behind the most recent ruleset." In some environments, even if the most recent rules wouldn't have fixed the problem, the fact that you were "behind the curve" will be politically painful to you. And God knows we don't want political pain. (Oh, and s/IDS/Security Policy/g -- I can't tell you how non-amusing it was when I realized that the large Fortune 500 software company with whose internal workings I'm most familiar has had five CIOs in three years *AND* that every single one of them said fairly early in the process "We must have a security policy! Oh, and discard all the work on the security policy that my predecessor had paid for!"). -roy ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How do keep update my rules in Snort 2.0 over Windows 2000? Javier Romero (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Jon Baer (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 01)
- RE: How do keep update my rules in Snort 2.0 over Windows 2000? Michael Steele (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Roy S. Rapoport (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Roy S. Rapoport (Jun 02)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Erek Adams (Jun 01)
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Jon Baer (Jun 01)
- <Possible follow-ups>
- Re: How do keep update my rules in Snort 2.0 over Windows 2000? Javier Romero (Jun 03)