[Snort-users] Persistent problems with rule updates for Registerd Users

Michael Steele michaels at ...9077...
Thu Jan 3 23:20:42 EST 2013


Here is the problem.

 

1)      The snort binary contains a snort.conf , classification.config,
reference.config, and a threshold.conf

 

2)      The rules tarball contain a snort.conf , classification.config,
reference.config, and a threshold.conf

 

3)      The snort.org site has a downloadable snort.conf and also a
classification.config

 

The snort.conf in in all three location above ALL different.

 

The classification.config in location 1 and 2 above are different. However,
the classification.config in location 1 matches location 3.

 

The reference.config in location 1 and 2 above are different.

 

The threshold.conf in location 1 and 2 above are different.

 

Why is it that both groups are having  the rules tarball updated on a daily
basis, but they are not having the configuration files update to be current
for that day? It really doesn't matter what files are in the Snort binaries,
as long as all the files in the rule sets are current for the day.

 

As a new Registered User, shouldn't the they be able to download the latest
snort binary, download the latest rule set, extract the latest ruleset right
into the snort folder and get the very latest in rules (30 days old), and
the most current configurations on any single day. I'm not sure what's being
distributed in the Subscribers rule set as they may be getting current
configuration files along with the current zero day rule releases.

 

The best guess I can come to is to download the current rule set. Then
download the current snort.conf, then download the current
classification.config, and then over write those two files in the current
rule set. This looks like the only way to get a complete set of current
rules and configurations? 

 

Best regards,

Michael...

 

From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Thursday, January 03, 2013 3:05 PM
To: Michael Steele
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Persistent problems with rule updates for
Registerd Users

 

On Jan 2, 2013, at 9:23 PM, Michael Steele <michaels at ...9077...
<mailto:michaels at ...9077...> > wrote:





I just downloaded the latest rule set for the 'Registered Users' titled
<https://www.snort.org/downloads/2117> snortrules-snapshot-2940.tar.gz. It
STILL contains an OLD snort.conf. It's missing port assignments, and it
still includes the 'output database' option.

 

The registered users file is 30 days behind the subscribers.  It has an
older snort.conf.





This was a previous problem and there were assurances it was taken care of.
Looks like someone is not doing their job?

 

That's my job, and yes, it was done.  You are 30 days behind.





 Can someone pull the Registered Users tarball (
<https://www.snort.org/downloads/2117> snortrules-snapshot-2940.tar.gz) and
verify all the rules and configuration files are up-to-date?

 

No.  They are 30 days behind.  

 

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130103/edf48158/attachment.html>


More information about the Snort-users mailing list