Snort mailing list archives
Re: [Snort-sigs] Oinkmaster questions
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 10 Jun 2003 09:14:09 +1200
On Tue, 2003-06-10 at 07:00, Philip Davidson wrote:
Hello all, Has anyone ever had any problems with letting oinkmaster be fully automated? Some documentation that I have says that it could be unreliable for a couple of reasons. But I am wondering if anyone has ever had any problems like snort messing up as a result of full automation.
There have been *very* occasional glitches where new rules have trigged bugs in some configurations. I have my own equivalent of oinkmaster (I'm currently dumping it in favour of oinkmaster) and I have had problems with it barfing on some new rules that it did not know how to handle. Oinkmaster is probably more robust in this respect -- it does not try to be as smart as mine ;-) and is more stable because of it. The thing to remember is that these problems will only occur when you are off site and out of touch. (my last problem of this nature occurred when I was at the FIRST conference in Hawaii -- just a year ago when the first rules using byte_test and byte_jump appeared). What I do is run two systems, one of which is updated automatically and one of which is updated manually as a back up. Should the first fail for whatever reason the other one normally keeps running. I update the backup about once a month (or if any particularly significant signatures are released). It runs on an older box and drops the odd packet here and there but is adequate as a backup -- it is my old primary box. -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Oinkmaster questions Philip Davidson (Jun 09)
- Re: [Snort-sigs] Oinkmaster questions Russell Fulton (Jun 09)
- Re: Re: [Snort-sigs] Oinkmaster questions Anthony Kim (Jun 09)
- <Possible follow-ups>
- RE: Oinkmaster questions Schmehl, Paul L (Jun 09)
- Re: [Snort-sigs] Oinkmaster questions Russell Fulton (Jun 09)