[Snort-users] rules update schedule (was: Re: so_rule problem)

Nigel Houghton nhoughton at ...1935...
Fri Oct 1 14:04:00 EDT 2010


On Fri, 01 Oct 2010 13:35:59 -0400, waldo kitty wrote:
> On 10/1/2010 13:14, Nigel Houghton wrote:
>> On Fri, 01 Oct 2010 12:37:14 -0400, waldo kitty wrote:
>>> i had similar discussion to this some time back in another venue and
>>> at that time the question was does VRT update the "registered" rules
>>> snapshot every day so that there's a "rolling release" or do they
>>> simply wait and do one release every 30 days... AIR, no one ever
>>> answered that question or provided a pointer to where it might be
>>> answered...
>> 
>> Didn't see that question, but to answer it. The roll over is automatic.
> 
> yeah, i think it was before i joined the SF lists so you're off the hook :P
> 
> i guess what i'm really trying to dig out is the answers to the following 
> questions...
> 
> 1. are rules released daily or are they held and released in batches 
> once a week 
> or month?

The schedule is roughly twice a week (Tuesday's and Thursday's). That 
can change though, sometimes more often, sometimes once a week. We'll 
always try to get something out for 0day stuff immediately though.

Remember, we do rigorous testing on rules, the regression suite goes 
through millions of tests and if something fails horribly, it can delay 
releases. We were thinking of introducing numbering for the rule pack 
releases (like we have for the Sourcefire 3D releases) but that might 
create more confusion as folks would see missing numbers as certain 
builds don't make it into release. We figure finding rule packs by date 
is easy enough anyway, the only time that gets confusing is in the rare 
occurrence where two or more rule releases are issued on the same day. 
Which has happened on some occasions.
 
> 2. can you list possible reasons why an initial update connection may 
> be 403'd 
> and the 15 minute delay initiated?

Don't know. Try contacting snort-site at ...1935... for answers to 
those questions. We do not control the backend (or frontend) systems.

> 3. is it possible that even after waiting out the 15 minute delay 
> that one might 
> be 403'd again?

Don't know. Try contacting snort-site at ...1935... for answers to 
those questions. We do not control the backend (or frontend) systems.

> 4. will we see the return of the reason for the 403 and the try again in X 
> minutes in the 403 messages or will they remain plain jane 403's with no 
> information that can be passed back to the user via message or logs?

Don't know. Try contacting snort-site at ...1935... for answers to 
those questions. We do not control the backend (or frontend) systems.

> the answers could greatly help with eliminating unnecessary updating 
> schedules 
> and traffic...

I think if you work on the assumption that rules will get updated on 
Tuesday's and Thursday's you'll be good to go. Of course, everything 
that you do automatically should have the option to run manually should 
it be necessary. Keep an eye on the snort-sigs list or the blog or 
snort.org (there's an RSS feed for rule release info at 
http://www.snort.org/vrt/advisories.xml) to see if you should manually 
update for something that falls outside the normal schedule.

> thanks for your time and attention in this! ;)

Yep.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




More information about the Snort-users mailing list