[Snort-users] Pulled Pork
jesler at ...1935...
Wed Oct 31 09:31:49 EDT 2012
On Oct 30, 2012, at 8:22 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 10/30/2012 16:25, Joel Esler wrote:
>> On Oct 30, 2012, at 12:02 PM, waldo kitty wrote:
>>> On 10/30/2012 10:55, Joel Esler wrote:
>>>> We have the 15 minute delay in place, as there are some people who like to
>>>> download the entire ruleset every 5 seconds.
>>> i highly suspect that these are folks with bad cron entries... you'd think
>>> they'd be aware of the problem but obviously
>>> 1) they are not OR
>>> 2) they do not care OR
>>> 3) they are trying to cause problems ie: (d)dos anyone?
>> I believe it's #1. They don't know the problem exists. I've written a few of
>> them, and a couple of them have corrected the issue, we have one who
>> acknowledged the problem and is going to fix it (don't know when),
> not trying to be nosy but this is out of how many unique oinkcodes abusing the
> services like this?
A lot. The amount of people still cron'ed to download extremely old versions of the ruleset is in the thousands.
>> and some that haven't acknowledged at all.
>> And some, whose emails just bounced.
> i'd bet that if those oinkcodes were disabled they'd wake up... or maybe feed
> them a "rules archive" with a file inside that states the problem, that their
> registered email address is no longer valid and why the code has been set to
> redirect to this non-rules archive ;)
> HA! or even a rule or rules that alerts on traffic and has a message that would
> point out to them the problem... if they are watching their snort output, that
> would definitely get their attention ;) ;) ;)
I've thought about these things, but there's some steps that have to be taken first in order to get to that.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users