On Fri, Apr 25, 2003 at 10:44:49PM +0100, Nick Boyce wrote: > The general consensus of opinion (including the Debian packager) was > that *nobody* should even consider using the V1.8.4 Snort package in > Woody - it's much too old, and has a number of security issues. It's not really that it has a number of security issues; It's more that no new rulesets are being developed for it, and thus it can't detect any attempts to exploit vulnerabilities more recent than its last ruleset. Obviously that defeats the purpose of using a rule-based traffic analyzer like snort. > Most people's advice was to stop using the Debian package, and instead > download & compile the latest source from www.snort.org, and keep > tracking new releases from there - and get signature updates from > there as well. This is what I do now. Yes, that's generally the least disruptive to your Debian system. I've seen people run a hybrid woody/sid system just to get the new snort. If you build it yourself, you don't need to worry about upgrading to unstable and unsupported (by the sec team) software. > Some people think Snort should actually be removed from the Debian > package collection, because it will always drift seriously out of date > over time, and because there's no easy way to incorporate up-to-date > signatures (rules) into Debian. It would be less of an issue if you could actually *get* new rules for the version of snort that's in woody. There wouldn't be anything to stop you from downloading the new rules (which are distributed independently of snort itself and updated regularly) and untarring them into the right place and having the right thing happened. Yes, snort should probably not be shipping with Debian. Sticking with an outdated version of snort is counterproductive and, at the very least, likely to give you a false sense of security regarding the traffic hitting your machines. I wish people were more open to the idea of letting a wholly new version (say, an up to date 1.9) enter woody with its next revision, but that's not going to happen. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpkUBgmwJuAn.pgp
Description: PGP signature