[Snort-users] rules downloads and scalability

Martin Roesch roesch at ...1935...
Mon Sep 18 11:18:25 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FYI, every once in a while we were getting people who didn't know how  
to configure cron who were trying to download rule updates every  
second.  Since we update rules typically on a daily basis at best, 15  
minutes ought to work pretty well for everyone...

      -Marty

On Sep 18, 2006, at 9:21 AM, Eric Hines wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I do want to add to my comment. I do understand Sourcefire's reasoning
> for doing this. With the number of times Snort has been downloaded and
> half that number of people were checking our web site multiple times a
> day (I hear its as excessive as every 10 mins), I too would have put a
> mechanism in place to prevent it.
>
> Also, I took a closer look at the Sourcefire message for download
> limiting. It seems to be every 15 minutes. I think if anyone downloads
> new rules more often than every 15 minutes, something needs to be  
> changed :)
>
> - -------------- snip -------------
>
> Next download available at: 2006-09-18 09:33:54 (Currently: 2006-09-18
> 09:18:55)
>
> You don't have permission to access
> /pub-bin/downloads.cgi/Download/vrt_os/snortrules- 
> snapshot-2.4.tar.gz on
> this server.
>
> - -------------- snap -------------
>
>
> Best Regards,
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
>
> - --------------------------------------------------
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
> - --------------------------------------------------
>
> Email:   eric.hines at ...8860...
> Address: 1095 Pingree Road
>          Suite 221
>          Crystal Lake, IL
>          60014
> Tel:     (877) 262-7593 ext:327
> Local:   (847) 854-5831
> Fax:     (847) 854-5106
> Web:     http://www.appliedwatch.com
>
> - --------------------------------------------------
> Security Management for the Open Source Enterprise
>
>
>
>
>
> Eric Hines wrote:
>> Jason,
>>
>> Its not limiting specific to Oinkmaster. Applied Watch began  
>> seeing this
>> a few weeks ago through regular rule downloads with our Command  
>> Center
>> using specific Oink Code. Sourcefire seems to be limiting user- 
>> specific
>> Oink Code to download rules only once a day.
>>
>> Eric Hines, GCIA, CISSP
>> CEO, President
>> Applied Watch Technologies, LLC
>> 1095 Pingree Road
>> Suite 221
>> Crystal Lake, IL 60014
>> Tel: (877) 262-7593
>> Web: http://www.appliedwatch.com
>>
>> Jason Haar wrote:
>>> I notice the "www.snort.org/pub-bin/oinkmaster.cgi" script has  
>>> some form
>>> of download limiting component (to stop people like me repeatably
>>> downloading the same live data while editing/updating local  
>>> scripts - ahem).
>>>
>>> Anyway, such scaling issues happen. I'd like to suggest that  
>>> Sourcefire
>>> look to ClamAV to see how they handled people hammering their  
>>> servers
>>> looking for updates that didn't exist (i.e. they were already up to
>>> date). Their rules basically have a serial number and they put  
>>> that into
>>> a DNS record, and then their freshclam update daemon looks to  
>>> that DNS
>>> record before deciding to actually do a HTTP connection to  
>>> download an
>>> update. Than plus some time-of-day randomization and load sharing  
>>> should
>>> go a loooong way on the scalability side...
>>>
>>> Just an idea.
>>>
>>>
>>
>>
>> --------------------------------------------------------------------- 
>> ----
>> Using Tomcat but need to do more? Need to support web services,  
>> security?
>> Get stuff done quickly with pre-integrated technology to make your  
>> job easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
>> Geronimo
>> http://sel.as-us.falkag.net/sel? 
>> cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFDp1u1va6QYTV0EMRAnAhAJ4zWwA9A9cllGydztaCGnxM4pBPDACcDC6E
> HxZN2OTS2R1ZwYTGXCSWvLM=
> =h5NC
> -----END PGP SIGNATURE-----
> <eric.hines.vcf>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642______________________________ 
> _________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFDrjBqj0FAQQ3KOARApjcAJ0Whha6kOjETlSUNG57l6I9gj/mAACfRR5v
TwB7ei/tB75RoRtL7gOEJ9o=
=qC5G
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list