Snort mailing list archives
Re: [Snort-devel] threshold -- is it really deprecated?
From: Jim Hranicky <jfh () ufl edu>
Date: Tue, 24 Jan 2012 10:41:15 -0500
On Mon, 23 Jan 2012 23:42:28 -0500 Jason Brvenik <jbrvenik () sourcefire com> wrote:
I'm not opposed to a structured format, just have issues with: - the need to risk an edit to a non-detection causing an inadvertent detection modification. - the risk of a local detection or metadata edit being clobbered by an update that doesn't affect either directly.
If you make local mods at all, don't you have this problem anyway? How does having everything but detection in other places solve this?
- the need for non-trivial parsing logic
libYAML ?
- the need for tools to manage rules at scale. To sum it up. It needs to be well structured, easily parsed with existing tools, easily verified, signable, inheritable, overridable, understandable and usable by humans, editable with a simple text editor, automatable, encryptable, and facilitate sharing :)
As for scale, I have a small scale setup, but in general for config management I've always gotten a lot of milage out of either having a master machine with all the different configs and rsyncing them to the machines they need to go to, or a simple templating script that builds them when necessary. Some day I'll check out puppet/chef, but like I said, our setup is smallish. -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Snort-users] threshold -- is it really deprecated?, (continued)
- Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? beenph (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Joel Esler (Jan 24)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 24)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? waldo kitty (Jan 25)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Feb 04)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Feb 05)
- Re: [Snort-users] threshold -- is it really deprecated? Rich Graves (Jan 25)