RE: Updating Snort Signatures In Stable ? -- SNORT 1.9.0 for woody
Hello, I saw a lot of discution about snort 1.9 on woody. I just whant to tell that we do need the 1.9 ! why don't we use an another directory (like contrib) where we can put unstable softwares built for the stable distribution ? For those who are interested in snort 1.9 without using unstable and without last glibc and uploaded it to a website : http://acdessec.chez.tiscali.fr/ Please email me if you find bugs in these packages. Regards, Sebastien Desse -Message d'origine- De : Gustavo Franco [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 décembre 2002 12:57 À : debian-security@lists.debian.org Objet : Re: Updating Snort Signatures In Stable ? On Tue, 2002-12-10 at 16:52, Matt Zimmerman wrote: On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: No, you can't rebuild snort version from unstable. Who can't? You can't? I just did, and it was not only possible, but easy. Nick Boyce! apt-get build-dep snort apt-get source -b snort And the snort updates? Yes, they are built from the same source package. Will Nick do it daily,weekly or monthly? See below. The best alternative for you is apt-pinning feature, you can read more about it at apt-howto[1]. Nope. I know how to use apt, thank you very much. And I prefer not to install unstable glibc on my stable systems. It isn't for you! Unstable glibc is a bad idea, i known.But and about unstable snort? One more time, and the snort updates? bye, Gustavo Franco -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ? -- SNORT 1.9.0 for woody
* Sébastien Desse [EMAIL PROTECTED] wrote: I saw a lot of discution about snort 1.9 on woody. I just whant to tell that we do need the 1.9 ! why don't we use an another directory (like contrib) where we can put unstable softwares built for the stable distribution ? I would appreciate this, too. :-) For those who are interested in snort 1.9 without using unstable and without last glibc and uploaded it to a website : http://acdessec.chez.tiscali.fr/ Another source for a current Woody-snort is (as posted to this list here lately): http://debian.fluidsignal.com/dists/woody/updates/main/binary-i386/ Regards, Marcus -- I think I've reached that point where all the things you have to say and hopes for something more from me are just games to pass the time away. Please stop loving me, please stop loving me, I am none of these things...
Re: Updating Snort Signatures In Stable ?
On Tue, 2002-12-10 at 16:52, Matt Zimmerman wrote: On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: No, you can't rebuild snort version from unstable. Who can't? You can't? I just did, and it was not only possible, but easy. Nick Boyce! apt-get build-dep snort apt-get source -b snort And the snort updates? Yes, they are built from the same source package. Will Nick do it daily,weekly or monthly? See below. The best alternative for you is apt-pinning feature, you can read more about it at apt-howto[1]. Nope. I know how to use apt, thank you very much. And I prefer not to install unstable glibc on my stable systems. It isn't for you! Unstable glibc is a bad idea, i known.But and about unstable snort? One more time, and the snort updates? bye, Gustavo Franco -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Wed, Dec 11, 2002 at 09:57:13AM -0200, Gustavo Franco wrote: On Tue, 2002-12-10 at 16:52, Matt Zimmerman wrote: On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: No, you can't rebuild snort version from unstable. Who can't? You can't? I just did, and it was not only possible, but easy. Nick Boyce! I'm sure he is capable of cutting and pasting a command line or two. And the snort updates? Yes, they are built from the same source package. Will Nick do it daily,weekly or monthly? See below. As often as he likes. This can be completely automated if desired. Alternatively, a volunteer could do this from time to time, and make the packages available in a public repository. Nope. I know how to use apt, thank you very much. And I prefer not to install unstable glibc on my stable systems. It isn't for you! Unstable glibc is a bad idea, i known.But and about unstable snort? One more time, and the snort updates? unstable snort is unavoidable, since, as has been discussed, it is important to have the latest snort signatures, and those often require the latest version of snort. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Wed, Dec 11, 2002 at 01:43:48AM +, Nick Boyce wrote: On Tue, 10 Dec 2002 13:52:06 -0500, Matt Zimmerman wrote: [re: installing the snort binary from unstable] ... And I prefer not to install unstable glibc on my stable systems. Yeah - I thought there was a big problem with installing any unstable *binary* on a stable box, for exactly that reason. Yep. But there's often no need, since many (most?) source packages testing/unstable can be compiled on stable. I too don't want the unstable glibc - surely it means you have to replace just about every other binary on the system ? Programs built with glibc x.y will run on glibc x.y+d, though the reverse is not generally true. So, upgrading glibc does not typically present problems with existing programs. There are exceptions, of course, for example the recent glibc 2.3 transition problems (mostly due to programs inappropriately using internal glibc interfaces), a good reason not to upgrade glibc unnecessarily. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Tue, 2002-12-10 at 16:52, Matt Zimmerman wrote: On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: No, you can't rebuild snort version from unstable. Who can't? You can't? I just did, and it was not only possible, but easy. Nick Boyce! apt-get build-dep snort apt-get source -b snort And the snort updates? Yes, they are built from the same source package. Will Nick do it daily,weekly or monthly? See below. The best alternative for you is apt-pinning feature, you can read more about it at apt-howto[1]. Nope. I know how to use apt, thank you very much. And I prefer not to install unstable glibc on my stable systems. It isn't for you! Unstable glibc is a bad idea, i known.But and about unstable snort? One more time, and the snort updates? bye, Gustavo Franco -- [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Wed, Dec 11, 2002 at 09:57:13AM -0200, Gustavo Franco wrote: On Tue, 2002-12-10 at 16:52, Matt Zimmerman wrote: On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: No, you can't rebuild snort version from unstable. Who can't? You can't? I just did, and it was not only possible, but easy. Nick Boyce! I'm sure he is capable of cutting and pasting a command line or two. And the snort updates? Yes, they are built from the same source package. Will Nick do it daily,weekly or monthly? See below. As often as he likes. This can be completely automated if desired. Alternatively, a volunteer could do this from time to time, and make the packages available in a public repository. Nope. I know how to use apt, thank you very much. And I prefer not to install unstable glibc on my stable systems. It isn't for you! Unstable glibc is a bad idea, i known.But and about unstable snort? One more time, and the snort updates? unstable snort is unavoidable, since, as has been discussed, it is important to have the latest snort signatures, and those often require the latest version of snort. -- - mdz
Re: Updating Snort Signatures In Stable ?
On Fri, 2002-12-06 at 17:42, Matt Zimmerman wrote: On Thu, Dec 05, 2002 at 11:55:02PM -0500, Noah L. Meyerhans wrote: This has been discussed before. The thing is, I think that if you're serious about using snort, you should not even consider using the one in Debian. snort.org doesn't even distribute up-to-date rules files for the version in stable. So if you want to have a useful ruleset, you either need to figure out how to write it for the version in stable, or you need to get a new version from snort.org. Either way, you're working outside the Debian system. Why couldn't one just use the version from unstable (presumably building it from source)? No, you can't rebuild snort version from unstable.And the snort updates? The best alternative for you is apt-pinning feature, you can read more about it at apt-howto[1]. With the tips you will keep a stable system plus snort from unstable system and obviously the depends.More easy to keep updated. [1] = http://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html#s-default-version This is the section 3.8, check the 3.9 below too. cya, Gustavo Franco -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: No, you can't rebuild snort version from unstable. Who can't? You can't? I just did, and it was not only possible, but easy. apt-get build-dep snort apt-get source -b snort And the snort updates? Yes, they are built from the same source package. The best alternative for you is apt-pinning feature, you can read more about it at apt-howto[1]. Nope. I know how to use apt, thank you very much. And I prefer not to install unstable glibc on my stable systems. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Tue, 10 Dec 2002 13:52:06 -0500, Matt Zimmerman wrote: [re: installing the snort binary from unstable] ... And I prefer not to install unstable glibc on my stable systems. Yeah - I thought there was a big problem with installing any unstable *binary* on a stable box, for exactly that reason. I too don't want the unstable glibc - surely it means you have to replace just about every other binary on the system ? Nick Boyce Bristol, UK -- Petreley's First Law of Computer Journalism: No technology exists until Microsoft invents it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Fri, 2002-12-06 at 17:42, Matt Zimmerman wrote: On Thu, Dec 05, 2002 at 11:55:02PM -0500, Noah L. Meyerhans wrote: This has been discussed before. The thing is, I think that if you're serious about using snort, you should not even consider using the one in Debian. snort.org doesn't even distribute up-to-date rules files for the version in stable. So if you want to have a useful ruleset, you either need to figure out how to write it for the version in stable, or you need to get a new version from snort.org. Either way, you're working outside the Debian system. Why couldn't one just use the version from unstable (presumably building it from source)? No, you can't rebuild snort version from unstable.And the snort updates? The best alternative for you is apt-pinning feature, you can read more about it at apt-howto[1]. With the tips you will keep a stable system plus snort from unstable system and obviously the depends.More easy to keep updated. [1] = http://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html#s-default-version This is the section 3.8, check the 3.9 below too. cya, Gustavo Franco -- [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: No, you can't rebuild snort version from unstable. Who can't? You can't? I just did, and it was not only possible, but easy. apt-get build-dep snort apt-get source -b snort And the snort updates? Yes, they are built from the same source package. The best alternative for you is apt-pinning feature, you can read more about it at apt-howto[1]. Nope. I know how to use apt, thank you very much. And I prefer not to install unstable glibc on my stable systems. -- - mdz
Re: Updating Snort Signatures In Stable ?
On Mon, Dec 09, 2002 at 12:32:21AM +, Nick Boyce wrote: On Sat, Dec 07, 2002 at 02:46:01AM +, Nick Boyce wrote: I'd suggest maybe a note about V1.8.4 being useless should be added to http://packages.debian.org/stable/net/snort.html, along with some advice about getting signature updates (i.e. roll your own). Why not file a bug? Erm, ok - is that the right way to get a docs amendment done ? What doc are you talking about? The html page is generated automatically based on the package description. (Rather than, say, emailing the package maintainer, who I see is Robert van der Meulen [EMAIL PROTECTED]) ? It's best to use the BTS, that way _you_ can track/discuss with the maintainer and this information is public for others to browse/comment on. If I submit a bug (never done that before) for this, would you say it should have severity important, or minor ? (It doesn't seem like a normal bug :-) Please read first: bugs.debian.org The bug you are talking about is a 'wishlist' (or minor) bug. The package can be used but you would like something to be done to fix a given issue. Notice that your issue is a problem, not related to the Debian package, but to the way the snort project changes the rules _and_ the IDS engine. Please open this bug giving appropiate information so that the maintainer can understand the issue, try to be as verbose as possible and (maybe) suggest how it could be fixed. Also, first check if it has been reported before (go to bugs.debian.org/snort) and see the 'open' bugs. Regards Javi msg08087/pgp0.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Mon, Dec 09, 2002 at 12:32:21AM +, Nick Boyce wrote: On Sat, Dec 07, 2002 at 02:46:01AM +, Nick Boyce wrote: I'd suggest maybe a note about V1.8.4 being useless should be added to http://packages.debian.org/stable/net/snort.html, along with some advice about getting signature updates (i.e. roll your own). Why not file a bug? Erm, ok - is that the right way to get a docs amendment done ? What doc are you talking about? The html page is generated automatically based on the package description. (Rather than, say, emailing the package maintainer, who I see is Robert van der Meulen [EMAIL PROTECTED]) ? It's best to use the BTS, that way _you_ can track/discuss with the maintainer and this information is public for others to browse/comment on. If I submit a bug (never done that before) for this, would you say it should have severity important, or minor ? (It doesn't seem like a normal bug :-) Please read first: bugs.debian.org The bug you are talking about is a 'wishlist' (or minor) bug. The package can be used but you would like something to be done to fix a given issue. Notice that your issue is a problem, not related to the Debian package, but to the way the snort project changes the rules _and_ the IDS engine. Please open this bug giving appropiate information so that the maintainer can understand the issue, try to be as verbose as possible and (maybe) suggest how it could be fixed. Also, first check if it has been reported before (go to bugs.debian.org/snort) and see the 'open' bugs. Regards Javi pgpszVleJVEb5.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Sat, 7 Dec 2002 13:51:11 +0100, Javier Fernández-Sanguino Peña wrote: On Sat, Dec 07, 2002 at 02:46:01AM +, Nick Boyce wrote: I'd suggest maybe a note about V1.8.4 being useless should be added to http://packages.debian.org/stable/net/snort.html, along with some advice about getting signature updates (i.e. roll your own). Why not file a bug? Erm, ok - is that the right way to get a docs amendment done ? (Rather than, say, emailing the package maintainer, who I see is Robert van der Meulen [EMAIL PROTECTED]) ? If I submit a bug (never done that before) for this, would you say it should have severity important, or minor ? (It doesn't seem like a normal bug :-) Thanks, Nick Boyce Bristol, UK -- Ok spammer, I'll 'just hit delete'. You can be 'Delete'. -- Ron SuperTroll Ritzman, NANAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Sat, 7 Dec 2002 13:51:11 +0100, Javier Fernández-Sanguino Peña wrote: On Sat, Dec 07, 2002 at 02:46:01AM +, Nick Boyce wrote: I'd suggest maybe a note about V1.8.4 being useless should be added to http://packages.debian.org/stable/net/snort.html, along with some advice about getting signature updates (i.e. roll your own). Why not file a bug? Erm, ok - is that the right way to get a docs amendment done ? (Rather than, say, emailing the package maintainer, who I see is Robert van der Meulen [EMAIL PROTECTED]) ? If I submit a bug (never done that before) for this, would you say it should have severity important, or minor ? (It doesn't seem like a normal bug :-) Thanks, Nick Boyce Bristol, UK -- Ok spammer, I'll 'just hit delete'. You can be 'Delete'. -- Ron SuperTroll Ritzman, NANAE
Re: Updating Snort Signatures In Stable ?
On Sat, Dec 07, 2002 at 01:51:11PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. That won't happen sorry. That's just not the way Debian works, 3.0r1 will have no new code, just important bug (and security) fixes. Well, a case could be made for the presense of an old, unmaintained, unusable snort being a security bug. The problem is that if the snort people change the engine _and_ the rulebase then Debian can never support new rules for old (stable) releases (which could be asked for point releases). Obviously this is a problem that will face other distributors, as well as Debian. Our policy WRT stable revisions, though, may be unique. Situations such as this do expose weaknesses in our policy, and warrant further thought. I don't believe we should leave our users in the state that they're in with the woody version of snort being the only supported version available. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08067/pgp0.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Sat, Dec 07, 2002 at 02:46:01AM +, Nick Boyce wrote: I'd suggest maybe a note about V1.8.4 being useless should be added to http://packages.debian.org/stable/net/snort.html, along with some advice about getting signature updates (i.e. roll your own). Why not file a bug? IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. That won't happen sorry. That's just not the way Debian works, 3.0r1 will have no new code, just important bug (and security) fixes. And I still think it'd be nice if we could find a way to package up and push out stable signature updates - but I can see why that would be difficult to set policy for. The problem is that if the snort people change the engine _and_ the rulebase then Debian can never support new rules for old (stable) releases (which could be asked for point releases). Regards Javi pgpph7ZWOeKAZ.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Sat, Dec 07, 2002 at 01:51:11PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. That won't happen sorry. That's just not the way Debian works, 3.0r1 will have no new code, just important bug (and security) fixes. Well, a case could be made for the presense of an old, unmaintained, unusable snort being a security bug. The problem is that if the snort people change the engine _and_ the rulebase then Debian can never support new rules for old (stable) releases (which could be asked for point releases). Obviously this is a problem that will face other distributors, as well as Debian. Our policy WRT stable revisions, though, may be unique. Situations such as this do expose weaknesses in our policy, and warrant further thought. I don't believe we should leave our users in the state that they're in with the woody version of snort being the only supported version available. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpGrKFu2Agtc.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Fri, Dec 06, 2002 at 04:18:52AM +, Nick Boyce wrote: If so, are there any special steps required to integrate such a download into our Debian Woody system ? Yes. See below. Alternatively, I note there are later signature packages in testing and unstable - can we use those on a Woody system ? No, you can't. There are changes in the signature definition that will only work with the unstable version (sid's) and will not work in woody. For the moment, the only think you can do is download sid's package for snort and compile it in a woody system. This is easier than you might think since it has proper Build-Depends so you might need only to point apt to the sid sources and ask it to download the source and --compile it. I have done this successfully in a woody box and could probably post the compiled packages somewhere if anyone is interested (but cannot compromise to recompile for woody each time a new version is available in sid). This is a known issue (it also affects antivirus) and has been debated at length in debian-devel. You might want to search the archive for more information. Regards Javi msg08040/pgp0.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Fri, Dec 06, 2002 at 04:18:52AM +, Nick Boyce wrote: I searched the debian-security archive but didn't hit any items discussing this, so maybe it's a dumb question - sorry, I'm a newb here. Thanks for _any_ comments at all. Well, the version I am running at this time is Version 1.9.0 (Build 209) and was downloaded from snort.org. My friend was kind enough to write a script that downloads signatures for this version from the snort site... This script alters the snort.conf file to include any new rulefiles and restarts snort if nessicery... I find this script very usefull and use it in combination with cron... Anyhow: this is the script located @ www.xssass.be... Kind regards, Kristof Goossens -- Digital fingerprint: F56F F987 0E0C AFF8 0B6D 7CA1 F152 E07D 72AF 337B msg08045/pgp0.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Thu, Dec 05, 2002 at 11:55:02PM -0500, Noah L. Meyerhans wrote: This has been discussed before. The thing is, I think that if you're serious about using snort, you should not even consider using the one in Debian. snort.org doesn't even distribute up-to-date rules files for the version in stable. So if you want to have a useful ruleset, you either need to figure out how to write it for the version in stable, or you need to get a new version from snort.org. Either way, you're working outside the Debian system. Why couldn't one just use the version from unstable (presumably building it from source)? -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Fri, 06 Dec 2002 04:18:52 +, I wrote: I've been running Snort for a month or so now on a Woody box at work, and am now wondering whether the Debian Project (or packager) has a Plan for providing signature file updates to users of the stable distribution. Well thanks for the answers folks - it seems clear (especially after checking http://www.snort.org/dl/rules/, which says If you are using a version before 1.9.x, please upgrade) that I should stop using the Debian stable V1.8.4 package and switch to hand-built V1.9.0 made from source - and I'll gladly grab Kristof's signature update script and adapt to my needs (thanks for that). [I hope my current MySQL and Acidlab backend works with the later Snort - I guess I'm about to find out ..] I'd suggest maybe a note about V1.8.4 being useless should be added to http://packages.debian.org/stable/net/snort.html, along with some advice about getting signature updates (i.e. roll your own). IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. And I still think it'd be nice if we could find a way to package up and push out stable signature updates - but I can see why that would be difficult to set policy for. Cheers, Nick Boyce Bristol, UK -- ... the fundamental design flaws are completely hidden by the superficial design flaws. Douglas Adams(1952 - 2001): So Long and Thanks For All The Fish. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Fri, Dec 06, 2002 at 04:18:52AM +, Nick Boyce wrote: If so, are there any special steps required to integrate such a download into our Debian Woody system ? Yes. See below. Alternatively, I note there are later signature packages in testing and unstable - can we use those on a Woody system ? No, you can't. There are changes in the signature definition that will only work with the unstable version (sid's) and will not work in woody. For the moment, the only think you can do is download sid's package for snort and compile it in a woody system. This is easier than you might think since it has proper Build-Depends so you might need only to point apt to the sid sources and ask it to download the source and --compile it. I have done this successfully in a woody box and could probably post the compiled packages somewhere if anyone is interested (but cannot compromise to recompile for woody each time a new version is available in sid). This is a known issue (it also affects antivirus) and has been debated at length in debian-devel. You might want to search the archive for more information. Regards Javi pgpiMe3ZJD7XV.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Thu, Dec 05, 2002 at 11:55:02PM -0500, Noah L. Meyerhans wrote: This has been discussed before. The thing is, I think that if you're serious about using snort, you should not even consider using the one in Debian. snort.org doesn't even distribute up-to-date rules files for the version in stable. So if you want to have a useful ruleset, you either need to figure out how to write it for the version in stable, or you need to get a new version from snort.org. Either way, you're working outside the Debian system. Why couldn't one just use the version from unstable (presumably building it from source)? -- - mdz
Re: Updating Snort Signatures In Stable ?
On Fri, 06 Dec 2002 04:18:52 +, I wrote: I've been running Snort for a month or so now on a Woody box at work, and am now wondering whether the Debian Project (or packager) has a Plan for providing signature file updates to users of the stable distribution. Well thanks for the answers folks - it seems clear (especially after checking http://www.snort.org/dl/rules/, which says If you are using a version before 1.9.x, please upgrade) that I should stop using the Debian stable V1.8.4 package and switch to hand-built V1.9.0 made from source - and I'll gladly grab Kristof's signature update script and adapt to my needs (thanks for that). [I hope my current MySQL and Acidlab backend works with the later Snort - I guess I'm about to find out ..] I'd suggest maybe a note about V1.8.4 being useless should be added to http://packages.debian.org/stable/net/snort.html, along with some advice about getting signature updates (i.e. roll your own). IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. And I still think it'd be nice if we could find a way to package up and push out stable signature updates - but I can see why that would be difficult to set policy for. Cheers, Nick Boyce Bristol, UK -- ... the fundamental design flaws are completely hidden by the superficial design flaws. Douglas Adams(1952 - 2001): So Long and Thanks For All The Fish.
Updating Snort Signatures In Stable ?
I've been running Snort for a month or so now on a Woody box at work, and am now wondering whether the Debian Project (or packager) has a Plan for providing signature file updates to users of the stable distribution. The snort-rules-default package available in stable never gets updated - nor would we normally expect it to unless a security vulnerability arises - but obviously IDS signatures must be kept up to date on a *timely* basis, just like antivirus package signatures, for the package to be fully effective. I don't intend any criticism, but do wonder what we're expected to do about this - download fresh signatures straight from www.snort.org ? If so, are there any special steps required to integrate such a download into our Debian Woody system ? Alternatively, I note there are later signature packages in testing and unstable - can we use those on a Woody system ? I searched the debian-security archive but didn't hit any items discussing this, so maybe it's a dumb question - sorry, I'm a newb here. Thanks for _any_ comments at all. Nick Boyce Bristol, UK -- Stenderup's Law: The sooner you fall behind, the more time you will have to catch up. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Fri, Dec 06, 2002 at 04:18:52AM +, Nick Boyce wrote: I've been running Snort for a month or so now on a Woody box at work, and am now wondering whether the Debian Project (or packager) has a Plan for providing signature file updates to users of the stable distribution. This has been discussed before. The thing is, I think that if you're serious about using snort, you should not even consider using the one in Debian. snort.org doesn't even distribute up-to-date rules files for the version in stable. So if you want to have a useful ruleset, you either need to figure out how to write it for the version in stable, or you need to get a new version from snort.org. Either way, you're working outside the Debian system. There have been proposals for the creation of a dynamic section of the Debian distribution to contain data that frequently changes. However, in the case of snort, where the new data may well not work with the old software, this doesn't help. Really, I don't think snort should be packaged in Debian at all. It's one of those things that needs to be current in order to be useful, and we just can't provide that. Providing an ineffective version is doing a disservice to our users, since it provides them with incorrect data (e.g. by telling them that there are no known vulnerabilities on the machines they scan). noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08029/pgp0.pgp Description: PGP signature
Updating Snort Signatures In Stable ?
I've been running Snort for a month or so now on a Woody box at work, and am now wondering whether the Debian Project (or packager) has a Plan for providing signature file updates to users of the stable distribution. The snort-rules-default package available in stable never gets updated - nor would we normally expect it to unless a security vulnerability arises - but obviously IDS signatures must be kept up to date on a *timely* basis, just like antivirus package signatures, for the package to be fully effective. I don't intend any criticism, but do wonder what we're expected to do about this - download fresh signatures straight from www.snort.org ? If so, are there any special steps required to integrate such a download into our Debian Woody system ? Alternatively, I note there are later signature packages in testing and unstable - can we use those on a Woody system ? I searched the debian-security archive but didn't hit any items discussing this, so maybe it's a dumb question - sorry, I'm a newb here. Thanks for _any_ comments at all. Nick Boyce Bristol, UK -- Stenderup's Law: The sooner you fall behind, the more time you will have to catch up.
Re: Updating Snort Signatures In Stable ?
On Fri, Dec 06, 2002 at 04:18:52AM +, Nick Boyce wrote: I've been running Snort for a month or so now on a Woody box at work, and am now wondering whether the Debian Project (or packager) has a Plan for providing signature file updates to users of the stable distribution. This has been discussed before. The thing is, I think that if you're serious about using snort, you should not even consider using the one in Debian. snort.org doesn't even distribute up-to-date rules files for the version in stable. So if you want to have a useful ruleset, you either need to figure out how to write it for the version in stable, or you need to get a new version from snort.org. Either way, you're working outside the Debian system. There have been proposals for the creation of a dynamic section of the Debian distribution to contain data that frequently changes. However, in the case of snort, where the new data may well not work with the old software, this doesn't help. Really, I don't think snort should be packaged in Debian at all. It's one of those things that needs to be current in order to be useful, and we just can't provide that. Providing an ineffective version is doing a disservice to our users, since it provides them with incorrect data (e.g. by telling them that there are no known vulnerabilities on the machines they scan). noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpaab3AC7nZ9.pgp Description: PGP signature
