On Mon, Aug 25, 2003 at 01:33:37AM +0200, Goswin von Brederlow wrote:
> Why don't you add an option to load newer rulesets and/or update
> information to snort. Once a day/week/month snort you probe some url
> for a signed ruleset or news file and report to the user about any
> updates.
> That way you can have the binary in stable and still provide changes
> on a more regular basis.

  That's a perfect solution, but only works for the cases which the
 snort binary can understand the rulesets which are being downloaded.

  The way I understand the current situation the real problem is that
 the stable snort cannot understand the newer rule files; because it's
 simply too old.

  However the solution would have to be a little bit more complex than
 that which you select - blindly installing the rulesets might not be
 the best idea.

  I'd love to see a system which used a simple curses interface to:

        1.  List all new rulesets with a discription of their
           use.  (eg. msblast.snrt - Alert on MSBlaster worm probes).

        2.  Upgrade all the rules which are currently installed.
  (Essentially apt-get + apt-cache for snort rules.  Clearly packaging a
  single rule file within one package is a gross misuse of resources but
  it might be sufficient if they were signed and hosted somewhere


Attachment: pgpWkMvO3c77w.pgp
Description: PGP signature

Reply via email to