[Snort-users] When Upgrading Breaks Auto Rule Management
eoin.miller at ...14586...
Thu Apr 28 14:00:25 EDT 2011
On 4/28/2011 4:47 PM, Joel Esler wrote:
> On Thu, 2011-04-28 at 16:10 +0000, Eoin Miller wrote:
>> Then it occurred to me, go to the site and check if 126.96.36.199 rules are
>> available yet for registered users and after reviewing that site and the
>> SourceFire blog, it was clear that 30 days have not passed yet. Is it
>> possible to get some kind of place holder to pull down the 188.8.131.52
>> version of the rules until the 184.108.40.206 rules are available? Otherwise if
>> users roll out a new sensor within the first 30 days of a new Snort
>> version being released, their VRT auto rule updating will break until
>> the 30 days has expired.
> Maybe I am not understanding what you are asking here, but if you change
> 2905 to 2904 in pulledpork, it'll grab the 2904 rules. Is that what you
> are asking?
Yes, if you specify the version 220.127.116.11 in the pulled pork conf file
when you are actually running 18.104.22.168 to make it work. But then after
the 30 day lag has expired, you have to remember to go back in and
comment that line out of the conf file so you start pulling 22.214.171.124
rules for your 126.96.36.199 instance because if you don't there will be a
time when 188.8.131.52 is gone from the supported rule list when 184.108.40.206 is
still supported. Its an annoyance that requires good knowledge of the 30
day lag, when your snort version was released because otherwise users
will be thinking their oinkcode does not work etc etc. If there is no
220.127.116.11 available for a user because they are reg vers subscription,
then if the request for 18.104.22.168 could return the 22.214.171.124 version. Or
actually releasing 126.96.36.199 registered user rules to correspond with a
188.8.131.52 release on the same day would probably be a good idea. Otherwise
people have to deal with this type of gotcha for the 30 day lag period.
More information about the Snort-users