[Snort-users] VRT Rules snapshot-CURRENT.tar.gz Download Error?

Nigel Houghton nhoughton at ...1935...
Fri May 29 15:08:24 EDT 2009

On Fri, May 29, 2009 at 12:35 PM, Joel Esler <jesler at ...1935...> wrote:
> On Fri, May 29, 2009 at 12:12 PM, <jlay at ...13475...> wrote:
>> > I spoke to our IT guys - sorry, This isn't possible.
>> >
>> > I also want to thank everyone for the great feedback so far.
>> >
>> > On Thu, May 28, 2009 at 5:49 PM, Sethsec <sethsec at ...11827...> wrote:
>> >
>> >> It looks like you guys are redirecting the initial request to
>> >> www.snort.org
>> >>  to dl.snort.org. Is there anyway you can do that redirection "behind
>> >> the scenes" do I don't have to add the .34 to a butt load of outgoing
>> >> fw rules?
>> >>
>> My question now is, what's the best timeframe for updating rules?  I have
>> a script that downloads the rules once a week (via oinkmaster)...should I
>> change that to something different?  Is there a way to diff the rules or
>> tarball on a box and compare to what's online before downloading?  How can
>> end users lighten the load on the snort.org site?  Just a few questions I
>> guess.
> Good questions, and I hope everyone is paying attention to this thread so we
> can lighten the load.
> I personally have a system that only runs when I get the rule email from the
> VRT.  I run it manually.  I have just automated my scripts to run, download
> the rules, create a new sid-msg.map file with my custom rules in it, restart
> barnyard and restart Snort.  Rule releases come out about every two weeks or
> so, depending upon the threats on the internet that the VRT has to cover.  I
> think once a week is a fine frequency for keeping it automated.  Depending
> upon your environment, VRT releases rules to cover Microsoft vulnerabilities
> on Patch Tuesday (Second Tuesday of every month), so shortly after this rule
> release might be a good idea.
> It's the once a minute, or once every 15 minute people we have to be
> concerned about.  Once a day is fine, but in reality, rules aren't going to
> be released that often.  I think once a week is a good frequency.

Actually, we release rules almost EVERY WEEK. Recently this has not
been the case for various reasons. But under normal circumstances you
can expect new rule files every Tuesday. (sometimes it gets pushed to
a Wednesday or Thursday) On occasion something comes up that requires
an out of band release, today would be an example of that.

Plan accordingly.

Nigel Houghton
Head Mentalist
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

More information about the Snort-users mailing list