On Mon, Aug 25, 2003 at 01:33:37AM +0200, Goswin von Brederlow wrote: > > Why don't you add an option to load newer rulesets and/or update > information to snort. Once a day/week/month snort you probe some url > for a signed ruleset or news file and report to the user about any > updates. > > That way you can have the binary in stable and still provide changes > on a more regular basis. That's a perfect solution, but only works for the cases which the snort binary can understand the rulesets which are being downloaded. The way I understand the current situation the real problem is that the stable snort cannot understand the newer rule files; because it's simply too old. However the solution would have to be a little bit more complex than that which you select - blindly installing the rulesets might not be the best idea. I'd love to see a system which used a simple curses interface to: 1. List all new rulesets with a discription of their use. (eg. msblast.snrt - Alert on MSBlaster worm probes). 2. Upgrade all the rules which are currently installed. (Essentially apt-get + apt-cache for snort rules. Clearly packaging a single rule file within one package is a gross misuse of resources but it might be sufficient if they were signed and hosted somewhere sensible..) Steve --
Attachment:
pgpZ0cPavvsej.pgp
Description: PGP signature