[Snort-sigs] Recent Rule Changes

Joel Esler jesler at ...435...
Wed Jun 30 18:43:50 EDT 2010


All,

As many of you know, we changed the way that we allow for downloads from Snort.org.  In short, we've moved the downloads up to Amazon's S3 cloud architecture. This was done for a several reasons, but chiefly to remove the 15 minute download restriction for certain things, and to free up the bandwidth on our networks.  As we grow, and have more subscribers, this was the best way to do it.  Unfortunately we apparently have some people that still have a cron job set up to download the rule pack every 1 minute, so we have to deal with those.

Now, before I describe what the URL's need to be, just to clear up any confusion, I used pulledpork (updated version 0.4.2) at home today on my machine, and after about 5 minutes of setup, my rules were downloaded, sorted, SO rules dumped, and Snort was back up and running.  Other than having to set up pulledpork, it was flawless.  So I suggest you use PulledPork to update your rulesets, it will alleviate a lot of pain.

In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. For the Subscriber and Registered releases of Snort 2.8.6.0 and Snort 2.8.5.3, the download links would look as
follows:

Subscriber Release
http://www.snort.org/sub-rules/snortrules-snapshot-2860.tar.gz/OINKCODE
http://www.snort.org/sub-rules/snortrules-snapshot-2853.tar.gz/OINKCODE

Registered User Release
http://www.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz/OINKCODE
http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/OINKCODE

You will notice in the above urls the difference in between the two "sub-rules" vs. "reg-rules".  You will also notice something else, we no longer have "_s" in the URL anymore.  Many people were getting confused in the difference, and we wanted to clear that up by changing the URL easier to recognize.

To find these instructions, you'll need to go to: https://www.snort.org/account/oinkcode to get them.  You'll have to log in to get to that page, but after you do so,  you will see all the instructions you'll need to download the rules the new way, as well as the URLs.  We even fill in the OINKCODE for you, using YOUR oinkcode.  So, go to that URL and you'll see all the instructions you'll need.

Now, aside from that.

Some people are writing in saying that they can't get the rules because it is giving them an error, something about --no-check-certificate and such.  I wanted to put this out to help those people, however, we don't want to get into the business of helping people administrate their boxes.

#1:  Their wget does not have SSL support.  You'll need to recompile wget for this.
#2:  You are using Curl and not using the "-L" command line tag (to follow a redirect)
#3:  You are running really really really old CA chain file that doesn't have the recent Verisign CA's chain certificates in it.

There have been a couple posts already on how to resolve this last problem, so I'll leave the community to help us out with all the various Linux, BSD, Solaris, <other things we don't have a copy of or have the ability to test>, and maybe we'll put some hints in an FAQ if needs be. (most likely 99% of you will be fine)

Thanks for your patience.  Keep Snorting!

Joel





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100630/96d3307c/attachment.html>


More information about the Snort-sigs mailing list