[Snort-users] When Upgrading Breaks Auto Rule Management
Dylan.Merida at ...15123...
Thu Apr 28 14:20:50 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
You can actually change your version to "edge" and this will ensure you're always getting the newest rules, but this causes other problems. For instance, so rules appear to stop functioning after making any chance or enabling the version variable. PulledPork wont let you set the edge tar with the rules_url variable in the config; it always overwrites it with the automatic version check, so this is more of a problem with PulledPork.
Seems to always use the snapshot tar with a version number instead, so you have to change the version variable on down in the config. Again, this appears to break so rules though.
Eastern Kentucky University
On Apr 28, 2011, at 2:13 PM, Jason Wallace wrote:
> Isn't this what "snortrules-snapshot-edge.tar.gz" is suppose to
> handle? I thought "edge" would give you the most recent version of the
> rules you have access to and it would automatically determined
> registered user vs. subscription user based on the oink code you give
> On Thu, Apr 28, 2011 at 2:00 PM, Eoin Miller
> <eoin.miller at ...14586...> wrote:
>> On 4/28/2011 4:47 PM, Joel Esler wrote:
>>> On Thu, 2011-04-28 at 16:10 +0000, Eoin Miller wrote:
>>>> Then it occurred to me, go to the site and check if 220.127.116.11 rules are
>>>> available yet for registered users and after reviewing that site and the
>>>> SourceFire blog, it was clear that 30 days have not passed yet. Is it
>>>> possible to get some kind of place holder to pull down the 18.104.22.168
>>>> version of the rules until the 22.214.171.124 rules are available? Otherwise if
>>>> users roll out a new sensor within the first 30 days of a new Snort
>>>> version being released, their VRT auto rule updating will break until
>>>> the 30 days has expired.
>>> Maybe I am not understanding what you are asking here, but if you change
>>> 2905 to 2904 in pulledpork, it'll grab the 2904 rules. Is that what you
>>> are asking?
>> Yes, if you specify the version 126.96.36.199 in the pulled pork conf file
>> when you are actually running 188.8.131.52 to make it work. But then after
>> the 30 day lag has expired, you have to remember to go back in and
>> comment that line out of the conf file so you start pulling 184.108.40.206
>> rules for your 220.127.116.11 instance because if you don't there will be a
>> time when 18.104.22.168 is gone from the supported rule list when 22.214.171.124 is
>> still supported. Its an annoyance that requires good knowledge of the 30
>> day lag, when your snort version was released because otherwise users
>> will be thinking their oinkcode does not work etc etc. If there is no
>> 126.96.36.199 available for a user because they are reg vers subscription,
>> then if the request for 188.8.131.52 could return the 184.108.40.206 version. Or
>> actually releasing 220.127.116.11 registered user rules to correspond with a
>> 18.104.22.168 release on the same day would probably be a good idea. Otherwise
>> people have to deal with this type of gotcha for the 30 day lag period.
>> -- Eoin
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today. Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Snort-users