Re: Splitting up snort
On Thu, 22 Mar 2001, Robert van der Meulen wrote:
>Hi,
>
>'snort' is a network intrusion detection system. Apart from the binary and
>the 'standard' config files, there are some configfile 'libraries'
>(currently in /etc/snort), containing attack patterns to scan the network
>for.
>I think /etc/snort is not the correct place to have these attack patterns,
>and i'd like to move these to /var/lib/snort.
Just one thing: wherever they are, I as sysadmin want some kind of
protection against an upgrade wiping out months of work. /etc is usually
a good place for this, as it places them in an "apt DMZ" where most
non-moronic DD's know better than to tread lightly, and the moronic ones
usually get a portion of what they deserve.
>Then i'd like to split snort up in a 'snort' package, and a 'snort-patterns'
>package, the second containing the attack pattern files, to allow people to
>install newer versions of the attack patterns, made available in a .deb, so
>the complete package doesn't need upgrading, when the pattern files change.
>This would allow 'unstable'-users to keep up with the rulefiles, and
>'stable'-users to install a new ('unstable') pattern library.
The splitup is a Good Thing. Snort's authors are generally opposed to
prepackaging rulesets with the binary, FWIH. So split them up, maybe make
some rulesets pre rolled for certain situations, whatever. But consider
making it less than a full-on dependency of snort on snort-rules: a
suggests would do nicely.
>Would /var/lib/snort be a correct location for these patterns ?
>Can a package contain only 'configuration' files ?
>
>Greets,
> Robert
>
--
There is no problem so great that it cannot be solved with suitable
application of High Explosives.
Who is John Galt? galt@inconnu.isu.edu, that's who!
Reply to: