[Snort-sigs] Recent [unilateral, unannounced] Rule Changes

Mike Guiterman mguiterman at ...435...
Thu Jul 1 10:34:25 EDT 2010

JP (and all)

Thanks for the pointed criticism and suggestions for improving
communications about changes that impact users.  Communicating change
to a vast, diverse community is difficult so we appreciate the input
on doing it better.

The changes to the rules download process in April and again this
month were designed to resolve two of the most common complaints from
the community:
1. Reduce the size of VRT downloads.  The April 26 change reduced the
rules files size by about 4X.  Yes - this was communicated on 4/26,
but we provided a 30 day window to make the change:  Here's a snip
describing the window and a link to message on snort-sigs.


"The Old Package names are still available but they are now symlinked to
the new package names.	The symlinks will exist for the next 30 days.

Symlinks Subscriber:
1. snortrules-snapshot-2853_s.tar.gz ->
2. snortrules-snapshot-2853_s.tar.gz ->

The above is not a typo. The 2853 is symlinked to CURRENT and 2.8
this is intentional, as to not break auto downloaders that define
CURRENT incorrectly."

2. Improve reliability for rules downloads.  The move to S3 is
intended to accomplish this with the additional benefit of removing
the 15 minute download restriction.
Given the headaches caused (and putting the inaccurate guidance I
posted aside for this thread) we should have provided longer a window
for users to digest the change and plan the update like we did in

In the future I don't know that setting up yet another mailing list is
the solution, but your point on communicating changes in advance is
well taken.  For future changes I'll commit exhausting all of vehicles
(mailing lists, VRT Blog, Snort.org) and ensure changes like this are
communicated in advance and in a coordinated manner across the
For now - Anyone using VRT rules really should subscribe to snort-sigs
and the VRT blog.  Those are the two primary communication outlets for
the VRT.  We realize that many don't so we'll expand where these
changes are announced.

We appreciate your patience as we grow our systems to support a
growing community


On Thu, Jul 1, 2010 at 1:53 AM, JP Vossen <jp at ...1432...> wrote:

> > Date: Wed, 30 Jun 2010 18:43:50 -0400
> > Subject: [Snort-sigs] Recent Rule Changes
> >
> > As many of you know, we changed the way that we allow for downloads from
> Snort.org.
> Yes, we know.  Now.
> Apologies if I missed the 3-5 change notifications that any first-year
> sysadmin would know enough to start sending *weeks* in advance of a
> change like this, but checking the ML archives I don't see them either.
> You guys REALLY, REALLY need to stop unilaterally pulling the rug out
> from under your paying users, with no notice whatsoever!
> That's two show-stoppers in two months, and one change introduced last
> time you broke it is now gone this time you broke it ("There is no need
> for the _s anymore") [1].
> 2010-06-28: broke how rules are downloaded [2]
> 2010-04-26: broke how rules are downloaded [3]
> I suggest you resurrect the "Announce" ML (dead since mid-2007),
> subscribe the other lists to it, feed it from the VRT Blog (maybe,
> debatable), and make *any* change that impacts your customers in *any*
> way without several notices going to that list a serious disciplinary
> offense.
> Don't get me wrong, I love snort.  I even get that this latest change is
> going to be a big scalable help.  What I don't get is why you guys think
> it's OK to break one of the the fundamental things you have people
> paying for without any advance notice.
> Would you put up from that from your vendor?
> JP
> PS--Not picking on Joel either, since he's on the sharp end, I doubt it
> was his idea to do it this way.  But the next time the IT guys say, "hey
> send out this announcement after the fact," you have to push them back.
>  No, you can't change fundamental, customer-facing facilities with zero
> warning.
> ___________________________
> [1] http://marc.info/?l=snort-sigs&m=127782132231177&w=2
> [2] http://marc.info/?l=snort-sigs&m=127775719011156&w=2
> [3]
> http://vrt-sourcefire.blogspot.com/2010/04/rule-release-for-today-april-26th-2010.html
> ----------------------------|:::======|-------------------------------
> JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
> My Account, My Opinions     |=========|      http://www.jpsdomain.org/
> ----------------------------|=========|-------------------------------
> "Microsoft Tax" = the additional hardware & yearly fees for the add-on
> software required to protect Windows from its own poorly designed and
> implemented self, while the overhead incidentally flattens Moore's Law.
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100701/d07012fb/attachment.html>

More information about the Snort-sigs mailing list