On Wed, Jun 08, 2005 at 02:44:28PM -0500, Eric Hines wrote:
These new SSH signatures brought down all of our customer's Snort
installations because that SSH_PORTS variable is not in the default
snort.conf file.
An alert was posted about requiring the variable a full day before the
rules were posted.
I can't see anyone needing a variable for SSH port 22. Can
we kill the variable?
People who specifically run ssh on nonstandard ports *asked* for the
variable. They're also the ones that asked for the rules.
I can't imagine how the AWCC nor any other Snort
management solution that downloads signatures from the Bleeding-Edge
database will then go in to the users snort.conf file and create this new
variable for the user.
vars can be included directly in the .rules files. If the management
solutions can't handle that, they are buggy.
The AWCC now downloads signatures from bleeding-edge automatically, I'm sure
there are other tools that do the same. Will we then expect everyone whose
maintaining a Snort ruleset management tool to also go in their and add the
SSH_PORTS variable to the snort.conf file in the case that they downloaded
Eric's SSH rules?
bleeding-snort disclaims all liability for production difficulties.
Life on the bleeding edge is sometimes perilous.
You should at least look at the deltas before importing them. You want
the rules to absolutely never crash your snort instance? fetch them
with the source code tarball.
--
Erik Fichtner; Unix Ronin
"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell
pgptE6CafF6RV.pgp
Description: PGP signature
