[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] ignore bad rule on startup
From: Paul Schmehl <pauls () utdallas ! edu>
Date: 2006-07-19 17:21:33
Message-ID: 44BE6A1D.1020308 () utdallas ! edu
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
kakomon wrote:
> Thank you for your answer Paul
> however i'm asking if there is an option, an argument, a switch or
> something, to make snort skip eventual garbage during startup
>
There is not.
> i've seen snort refusing to start due a 'fwsam' directive in some
> bleedingedge rules, like the file 'bleeding-dshield-BLOCK.rules'
>
> or, for example, if it finds two rules with the same SID
>
> i'll like to know if the behaviour could be to simply skip those rules
>
No, because snort can't make those decisions for you. If you had two
duplicate SIDs, which should be disabled?
> this would provide me to auto-download the rules,
> maybe with oinkmaster
>
> now it's not possible because if a new rules update could breaks snort,
> it will not startup anymore
>
> think about the disaster if snort is inline:
> all the traffic would be waiting in queue !
>
You shouldn't be automating rule updates on an inline setup anyway.
Rules should be applied to a test box, vetted, and then deployed to the
production box when you're certain no disruption will occur.
--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
["smime.p7s" (application/x-pkcs7-signature)]
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic