[Snort-users] When Upgrading Breaks Auto Rule Management

Merida, Dylan Dylan.Merida at ...15123...
Thu Apr 28 14:20:50 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can actually change your version to "edge" and this will ensure you're always getting the newest rules, but this causes other problems. For instance, so rules appear to stop functioning after making any chance or enabling the version variable. PulledPork wont let you set the edge tar with the rules_url variable in the config; it always overwrites it with the automatic version check, so this is more of a problem with PulledPork.

rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot-edge.tar.gz|<oinkcode>
Seems to always use the snapshot tar with a version number instead, so you have to change the version variable on down in the config. Again, this appears to break so rules though.

Dylan Merida
Security Analyst
Information Technology
Eastern Kentucky University

On Apr 28, 2011, at 2:13 PM, Jason Wallace wrote:

> Isn't this what "snortrules-snapshot-edge.tar.gz" is suppose to
> handle? I thought "edge" would give you the most recent version of the
> rules you have access to and it would automatically determined
> registered user vs. subscription user based on the oink code you give
> it?
> 
> rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot-edge.tar.gz|<oinkcode>
> 
> 
> thx,
> Wally
> 
> 
> On Thu, Apr 28, 2011 at 2:00 PM, Eoin Miller
> <eoin.miller at ...14586...> wrote:
>> On 4/28/2011 4:47 PM, Joel Esler wrote:
>>> On Thu, 2011-04-28 at 16:10 +0000, Eoin Miller wrote:
>>> 
>>>> Then it occurred to me, go to the site and check if 2.9.0.5 rules are
>>>> available yet for registered users and after reviewing that site and the
>>>> SourceFire blog, it was clear that 30 days have not passed yet. Is it
>>>> possible to get some kind of place holder to pull down the 2.9.0.4
>>>> version of the rules until the 2.9.0.5 rules are available? Otherwise if
>>>> users roll out a new sensor within the first 30 days of a new Snort
>>>> version being released, their VRT auto rule updating will break until
>>>> the 30 days has expired.
>>> Eoin,
>>> 
>>> Maybe I am not understanding what you are asking here, but if you change
>>> 2905 to 2904 in pulledpork, it'll grab the 2904 rules.  Is that what you
>>> are asking?
>>> 
>>> Joel
>>> 
>> Yes, if you specify the version 2.9.0.4 in the pulled pork conf file
>> when you are actually running 2.9.0.5 to make it work. But then after
>> the 30 day lag has expired, you have to remember to go back in and
>> comment that line out of the conf file so you start pulling 2.9.0.5
>> rules for your 2.9.0.5 instance because if you don't there will be a
>> time when 2.9.0.4 is gone from the supported rule list when 2.9.0.5 is
>> still supported. Its an annoyance that requires good knowledge of the 30
>> day lag, when your snort version was released because otherwise users
>> will be thinking their oinkcode does not work etc etc. If there is no
>> 2.9.0.5 available for a user because they are reg vers subscription,
>> then if the request for 2.9.0.5 could return the 2.9.0.4 version. Or
>> actually releasing 2.9.0.5 registered user rules to correspond with a
>> 2.9.0.5 release on the same day would probably be a good idea. Otherwise
>> people have to deal with this type of gotcha for the 30 day lag period.
>> 
>> -- Eoin
>> 
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> 
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network 
> management toolset available today.  Delivers lowest initial 
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJNubAIAAoJEJZGFwhgpNqABuYP/jiZ+k8UcGNTHAR3vv85qbf0
1ogJfbtAZmPaSTs0IYSM4vMXXDn2J2qsu52SyBDqgFT/P4PnqjuA+kgHwb8Kfinj
fpv9JZj/5EE75js6FhIQP9XaY6pL29neIVocEmUsYNKAC0NKYPnSEyceyOwVof3b
YMl7FkisCu62X3oe9vpjbiB8Q1qVHeK4HI31VJzKYnGb5BEdm+ic1pjZOu1RC6SJ
UxEn7UArtsSkPZNUx6M+IqV1PBbkfccOKbdGmrZ+wTJp73q0+CacLmOtacasEYst
wEKU4cN5702R0IGj/+VW1ufY22DprYhmz3Gesi3E6UVl+HeojgbI4tPwWBUbNjzD
58E3+/fQL0FnzuYVkym7ICmAcGs3yp0Y0V17xF47nDn9B+/Kp8aQ64BRQKH7PiF7
b2ZVKLkq64+BGnTaoMIXDoFD6mxXyPgfrHzj/r4Qf+44NUG8G+0qNXRoW01Zp2yl
OiQmlQU4bvVF3yPDE5ejvVpg4Jw5+iqaezAcyrQE8Vsf4jU0MgLsJShBesNYOTgB
PDVlBeJjPhSkFYlOwc47kxkv3ToFNQNlSKJLMihDcAZcwQNvysTTYTSjaZrXwe7C
LaEXGTU46MoI00y3VCPREpi0CJVKsbeeZfnjZSbJd1WDW2GczIJ6js8l2g5JACh+
mkgFmfw7uS6YuLJMVBDE
=JzGo
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list