[Snort-users] Pulled Pork

Joel Esler jesler at ...1935...
Wed Oct 31 09:31:49 EDT 2012


On Oct 30, 2012, at 8:22 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 10/30/2012 16:25, Joel Esler wrote:
>> On Oct 30, 2012, at 12:02 PM, waldo kitty wrote:
>>> On 10/30/2012 10:55, Joel Esler wrote:
>>> 
>>>> We have the 15 minute delay in place, as there are some people who like to
>>>> download the entire ruleset every 5 seconds.
>>> 
>>> i highly suspect that these are folks with bad cron entries... you'd think
>>> they'd be aware of the problem but obviously
>>> 
>>> 1) they are not OR
>>> 2) they do not care OR
>>> 3) they are trying to cause problems ie: (d)dos anyone?
>> 
>> I believe it's #1. They don't know the problem exists. I've written a few of
>> them, and a couple of them have corrected the issue, we have one who
>> acknowledged the problem and is going to fix it (don't know when),
> 
> not trying to be nosy but this is out of how many unique oinkcodes abusing the 
> services like this?

A lot.  The amount of people still cron'ed to download extremely old versions of the ruleset is in the thousands.

>> and some that haven't acknowledged at all.
>> 
>> And some, whose emails just bounced.
> 
> i'd bet that if those oinkcodes were disabled they'd wake up... or maybe feed 
> them a "rules archive" with a file inside that states the problem, that their 
> registered email address is no longer valid and why the code has been set to 
> redirect to this non-rules archive ;)
> 
> HA! or even a rule or rules that alerts on traffic and has a message that would 
> point out to them the problem... if they are watching their snort output, that 
> would definitely get their attention ;) ;) ;)

I've thought about these things, but there's some steps that have to be taken first in order to get to that.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121031/4e092f58/attachment.html>


More information about the Snort-users mailing list