On Mon, Aug 25, 2003 at 01:33:37AM +0200, Goswin von Brederlow wrote: > > Why don't you add an option to load newer rulesets and/or update > information to snort. Once a day/week/month snort you probe some url > for a signed ruleset or news file and report to the user about any > updates. > > That way you can have the binary in stable and still provide changes > on a more regular basis.
That's a perfect solution, but only works for the cases which the
snort binary can understand the rulesets which are being downloaded.
The way I understand the current situation the real problem is that
the stable snort cannot understand the newer rule files; because it's
simply too old.
However the solution would have to be a little bit more complex than
that which you select - blindly installing the rulesets might not be
the best idea.
I'd love to see a system which used a simple curses interface to:
1. List all new rulesets with a discription of their
use. (eg. msblast.snrt - Alert on MSBlaster worm probes).
2. Upgrade all the rules which are currently installed.
(Essentially apt-get + apt-cache for snort rules. Clearly packaging a
single rule file within one package is a gross misuse of resources but
it might be sufficient if they were signed and hosted somewhere
sensible..)
Steve
--
pgpWkMvO3c77w.pgp
Description: PGP signature
