[Snort-users] When Upgrading Breaks Auto Rule Management
Dylan.Merida at ...15123...
Thu Apr 28 14:20:50 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
You can actually change your version to "edge" and this will ensure you're always getting the newest rules, but this causes other problems. For instance, so rules appear to stop functioning after making any chance or enabling the version variable. PulledPork wont let you set the edge tar with the rules_url variable in the config; it always overwrites it with the automatic version check, so this is more of a problem with PulledPork.
Seems to always use the snapshot tar with a version number instead, so you have to change the version variable on down in the config. Again, this appears to break so rules though.
Eastern Kentucky University
On Apr 28, 2011, at 2:13 PM, Jason Wallace wrote:
> Isn't this what "snortrules-snapshot-edge.tar.gz" is suppose to
> handle? I thought "edge" would give you the most recent version of the
> rules you have access to and it would automatically determined
> registered user vs. subscription user based on the oink code you give
> On Thu, Apr 28, 2011 at 2:00 PM, Eoin Miller
> <eoin.miller at ...14586...> wrote:
>> On 4/28/2011 4:47 PM, Joel Esler wrote:
>>> On Thu, 2011-04-28 at 16:10 +0000, Eoin Miller wrote:
>>>> Then it occurred to me, go to the site and check if 188.8.131.52 rules are
>>>> available yet for registered users and after reviewing that site and the
>>>> SourceFire blog, it was clear that 30 days have not passed yet. Is it
>>>> possible to get some kind of place holder to pull down the 184.108.40.206
>>>> version of the rules until the 220.127.116.11 rules are available? Otherwise if
>>>> users roll out a new sensor within the first 30 days of a new Snort
>>>> version being released, their VRT auto rule updating will break until
>>>> the 30 days has expired.
>>> Maybe I am not understanding what you are asking here, but if you change
>>> 2905 to 2904 in pulledpork, it'll grab the 2904 rules. Is that what you
>>> are asking?
>> Yes, if you specify the version 18.104.22.168 in the pulled pork conf file
>> when you are actually running 22.214.171.124 to make it work. But then after
>> the 30 day lag has expired, you have to remember to go back in and
>> comment that line out of the conf file so you start pulling 126.96.36.199
>> rules for your 188.8.131.52 instance because if you don't there will be a
>> time when 184.108.40.206 is gone from the supported rule list when 220.127.116.11 is
>> still supported. Its an annoyance that requires good knowledge of the 30
>> day lag, when your snort version was released because otherwise users
>> will be thinking their oinkcode does not work etc etc. If there is no
>> 18.104.22.168 available for a user because they are reg vers subscription,
>> then if the request for 22.214.171.124 could return the 126.96.36.199 version. Or
>> actually releasing 188.8.131.52 registered user rules to correspond with a
>> 184.108.40.206 release on the same day would probably be a good idea. Otherwise
>> people have to deal with this type of gotcha for the 30 day lag period.
>> -- Eoin
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today. Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Snort-users