[Snort-users] VRT Rules snapshot-CURRENT.tar.gz Download Error?

Jeff Dell jdell at ...1095...
Fri May 29 12:56:01 EDT 2009


The problem with once a week is what happens if you check on Monday at 8am
and the rules are updated on Monday at 8:05? You won't get any updates for 2
weeks. It would be really great to have something like a checksum that will
be available to see if there is a change in the rules file. This way users
know exactly when an update has occurred and even if they check it every 15
minutes they will be checking a tiny file as compared to 90megs+ file. Then
incorporating this into your favorite update utility will make updates very
fast most of the time as there won't be an update to the file, and would
severely lower the bandwidth that snort.org needs.

 

Cheers,

Jeff

 

From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Friday, May 29, 2009 12:35 PM
To: jlay at ...13475...
Cc: Snort Users List
Subject: Re: [Snort-users] VRT Rules snapshot-CURRENT.tar.gz Download Error?

 

On Fri, May 29, 2009 at 12:12 PM, <jlay at ...13475...> wrote:

> I spoke to our IT guys - sorry, This isn't possible.
>
> I also want to thank everyone for the great feedback so far.
>
> On Thu, May 28, 2009 at 5:49 PM, Sethsec <sethsec at ...11827...> wrote:
>
>> It looks like you guys are redirecting the initial request to
>> www.snort.org
>>  to dl.snort.org. Is there anyway you can do that redirection "behind
>> the scenes" do I don't have to add the .34 to a butt load of outgoing
>> fw rules?
>>

My question now is, what's the best timeframe for updating rules?  I have
a script that downloads the rules once a week (via oinkmaster)...should I
change that to something different?  Is there a way to diff the rules or
tarball on a box and compare to what's online before downloading?  How can
end users lighten the load on the snort.org site?  Just a few questions I
guess.

 

Good questions, and I hope everyone is paying attention to this thread so we
can lighten the load.  

 

I personally have a system that only runs when I get the rule email from the
VRT.  I run it manually.  I have just automated my scripts to run, download
the rules, create a new sid-msg.map file with my custom rules in it, restart
barnyard and restart Snort.  Rule releases come out about every two weeks or
so, depending upon the threats on the internet that the VRT has to cover.  I
think once a week is a fine frequency for keeping it automated.  Depending
upon your environment, VRT releases rules to cover Microsoft vulnerabilities
on Patch Tuesday (Second Tuesday of every month), so shortly after this rule
release might be a good idea.  

 

It's the once a minute, or once every 15 minute people we have to be
concerned about.  Once a day is fine, but in reality, rules aren't going to
be released that often.  I think once a week is a good frequency.

 

-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090529/b7dfcc4b/attachment.html>


More information about the Snort-users mailing list