Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] Oinkmaster questions

From: Russell Fulton <r.fulton () auckland ac nz>
Date: 10 Jun 2003 09:14:09 +1200
On Tue, 2003-06-10 at 07:00, Philip Davidson wrote:

Hello all,

 

Has anyone ever had any problems with letting oinkmaster be fully
automated?  Some documentation that I have says that it could be
unreliable for a couple of reasons.  But I am wondering if anyone has
ever had any problems like snort messing up as a result of full
automation.


There have been *very* occasional glitches where new rules have trigged
bugs in some configurations.  I have my own equivalent of oinkmaster
(I'm currently dumping it in favour of oinkmaster) and I have had
problems with it barfing on some new rules that it did not know how to
handle.  Oinkmaster is probably more robust in this respect -- it does
not try to be as smart as mine ;-) and is more stable because of it.

The thing to remember is that these problems will only occur when you
are off site and out of touch.  (my last problem of this nature occurred
when I was at the FIRST conference in Hawaii --  just a year ago when
the first rules using byte_test and byte_jump appeared).

What I do is run two systems, one of which is updated automatically and
one of which is updated manually as a back up.  Should the first fail
for whatever reason the other one normally keeps running.  I update the
backup about once a month (or if any particularly significant signatures
are released).  It runs on an older box and drops the odd packet here
and there but is adequate as a backup -- it is my old primary box.

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: