[Snort-users] rules downloads and scalability

Eric Hines eric.hines at ...8860...
Mon Sep 18 12:06:09 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I suppose Sourcefire's thinking is, which I think makes sense, say you
download new rules at 9am and a new worm or pretty nasty exploit
surfaces at noon. Then, new Snort signatures are released at 3:00pm. If
it were limited to once a day, you wouldn't be able to grab those rules
until 12:01am the next day :/

But then again, you wouldn't be able to get them that quickly unless you
were a VRT paid subscriber.. so that doesn't make sense.. :/ hmm..  I
can't answer that one..

Ok, here's another idea :) You have several Snort management solutions,
each with its own method of managing Snort rules (we've got several
customers like this) where you use your oink code to download rules for
Snort management solution A and then you need to do the same for Snort
management solution B. You can't download rules for B until the next
day, so B will always be 1 day behind.

That about does it for me :) I suppose the answer to your question is,
why not? Why tie people's hands more than you actually need to.. if
every 15 minutes addresses the issue for Sourcefire, why do it longer
like 24 hours?

Just my 2 cents..


Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines at ...8860...
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise





Paul Schmehl wrote:
> --On Monday, September 18, 2006 11:18:25 -0400 Martin Roesch
> <roesch at ...1935...> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> FYI, every once in a while we were getting people who didn't know how
>> to configure cron who were trying to download rule updates every
>> second.  Since we update rules typically on a daily basis at best, 15
>> minutes ought to work pretty well for everyone...
>>
> What's wrong with once a day?  Is getting new rules into snort really
> *that* critical????
> 
> Sheesh.
> 
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFDsPx1va6QYTV0EMRAqmoAJ4g+kUAt36LkeoOxrmtWMppv7bVGwCeObmL
pzZ18zkTBYyhozLmoBBiKWk=
=f8H7
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060918/76829751/attachment.vcf>


More information about the Snort-users mailing list