[Snort-users] Pulled Pork

waldo kitty wkitty42 at ...14940...
Tue Oct 30 20:22:51 EDT 2012


On 10/30/2012 16:25, Joel Esler wrote:
> On Oct 30, 2012, at 12:02 PM, waldo kitty wrote:
>> On 10/30/2012 10:55, Joel Esler wrote:
>>
>>> We have the 15 minute delay in place, as there are some people who like to
>>> download the entire ruleset every 5 seconds.
>>
>> i highly suspect that these are folks with bad cron entries... you'd think
>> they'd be aware of the problem but obviously
>>
>> 1) they are not OR
>> 2) they do not care OR
>> 3) they are trying to cause problems ie: (d)dos anyone?
>
> I believe it's #1. They don't know the problem exists. I've written a few of
> them, and a couple of them have corrected the issue, we have one who
> acknowledged the problem and is going to fix it (don't know when),

not trying to be nosy but this is out of how many unique oinkcodes abusing the 
services like this?

> and some that haven't acknowledged at all.
>
> And some, whose emails just bounced.

i'd bet that if those oinkcodes were disabled they'd wake up... or maybe feed 
them a "rules archive" with a file inside that states the problem, that their 
registered email address is no longer valid and why the code has been set to 
redirect to this non-rules archive ;)

HA! or even a rule or rules that alerts on traffic and has a message that would 
point out to them the problem... if they are watching their snort output, that 
would definitely get their attention ;) ;) ;)




More information about the Snort-users mailing list