Snort mailing list archives

Re: DB Rules

From: Mike Baptiste <mike () baptistefamily net>
Date: Sat, 18 Aug 2001 16:33:09 -0400

I don't think having Snort refer to rules in a central DB in realtime isa good idea. Central point of failure, etc, etc. Like many havealready posted.

That said, I'm currently working on a DB setup which will store lots ofinfo about Snort rules includign user comments, ideas, etc. and willhave interfaces for user to grab rules manually or automatically as theyare added, changed, etc so you can automate rules updates (to a point)So rules would still be stored locally, but you'd be able to pull in newrules and stuff from teh DB> Users can also submit their own rules andcreate rule profiles for various situations, setups, etc.

The DB itself is done including the code to take rule files and importthem into the DB as new changes come out (so I can download hte snortrules and update the DB anytime a new rule set comes out in CVS) and I'mcurrently working on user profile stuff. I'm also working on anaddition to my Snort Webmin Module (http://www.msbnetworks.com/snort/)which will let you grab new/changed rules from my DB and splice theminto your existing rule files.


I'll post more info as things move along.  Perhaps by teh end of next week.

Mike

Charles Henrich wrote:

It would be really cool if snort could read its rulesets from the database
source.  That way remote sensors who are talking directly to the central DB
server could get immediate rule updates, and make administration of a snort
network much easier.. (IMHO).  Whacha think?

      Charles Henrich                                     henrich () sigbus com

                         http://www.sigbus.com/~henrich

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
  - Re: DB Rules Charles Henrich (Aug 17)
    - Re: DB Rules Erek Adams (Aug 17)
  - Re: DB Rules Jason Robertson (Aug 19)
    - Re: DB Rules Erek Adams (Aug 19)
    - Re: DB Rules Jason Robertson (Aug 20)
- Re: DB Rules Chris Green (Aug 17)
- Re: DB Rules Mike Baptiste (Aug 18)
- <Possible follow-ups>
- RE: DB Rules Tom Sevy (Aug 18)
  - Re: DB Rules Chris Green (Aug 18)