[Snort-users] When Upgrading Breaks Auto Rule Management
eoin.miller at ...14586...
Thu Apr 28 14:00:25 EDT 2011
On 4/28/2011 4:47 PM, Joel Esler wrote:
> On Thu, 2011-04-28 at 16:10 +0000, Eoin Miller wrote:
>> Then it occurred to me, go to the site and check if 184.108.40.206 rules are
>> available yet for registered users and after reviewing that site and the
>> SourceFire blog, it was clear that 30 days have not passed yet. Is it
>> possible to get some kind of place holder to pull down the 220.127.116.11
>> version of the rules until the 18.104.22.168 rules are available? Otherwise if
>> users roll out a new sensor within the first 30 days of a new Snort
>> version being released, their VRT auto rule updating will break until
>> the 30 days has expired.
> Maybe I am not understanding what you are asking here, but if you change
> 2905 to 2904 in pulledpork, it'll grab the 2904 rules. Is that what you
> are asking?
Yes, if you specify the version 22.214.171.124 in the pulled pork conf file
when you are actually running 126.96.36.199 to make it work. But then after
the 30 day lag has expired, you have to remember to go back in and
comment that line out of the conf file so you start pulling 188.8.131.52
rules for your 184.108.40.206 instance because if you don't there will be a
time when 220.127.116.11 is gone from the supported rule list when 18.104.22.168 is
still supported. Its an annoyance that requires good knowledge of the 30
day lag, when your snort version was released because otherwise users
will be thinking their oinkcode does not work etc etc. If there is no
22.214.171.124 available for a user because they are reg vers subscription,
then if the request for 126.96.36.199 could return the 188.8.131.52 version. Or
actually releasing 184.108.40.206 registered user rules to correspond with a
220.127.116.11 release on the same day would probably be a good idea. Otherwise
people have to deal with this type of gotcha for the 30 day lag period.
More information about the Snort-users