[Snort-users] Persistent problems with rule updates for Registerd Users

Joel Esler jesler at ...1935...
Thu Jan 3 23:40:20 EST 2013

On Jan 3, 2013, at 11:20 PM, "Michael Steele" <michaels at ...9077...> wrote:

> Here is the problem.
> 1)      The snort binary contains a snort.conf , classification.config, reference.config, and a threshold.conf
Which is current at the time of Tarball build. 

> 2)      The rules tarball contain a snort.conf , classification.config, reference.config, and a threshold.conf
Which is current as of /that/ Tarball.   The subscriber set is the same as below:

> 3)      The snort.org site has a downloadable snort.conf and also a classification.config

The most up to date. 

> The snort.conf in in all three location above ALL different.

If you want to be the most up to date, then use the ones on snort.org's page. But registered users can download the registered users rule pack, use that snort.conf and be good to go. 

The difference is really minimal. A couple of ports here and there. In the grand scheme of things, not gigantic. If there was something major we need to add in between major versions of Snort, of course that would be put out on snort.org and the snort blog. As I do with every single change I make to the snort.conf. 

> The classification.config in location 1 and 2 above are different. However, the classification.config in location 1 matches location 3.

I'll look at that. 
> The reference.config in location 1 and 2 above are different.
> The threshold.conf in location 1 and 2 above are different.


All the above bring said, the last time you brought up this topic we put in procedures that should help the next version of release, to prevent this kind of thing. But this is a collaboration between several departments here at Sourcefire, and we're getting it squared away, rest assured. 

> Why is it that both groups are having  the rules tarball updated on a daily basis, but they are not having the configuration files update to be current for that day? It really doesn’t matter what files are in the Snort binaries, as long as all the files in the rule sets are current for the day.

See above. 

>  As a new Registered User, shouldn’t the they be able to download the latest snort binary, download the latest rule set, extract the latest ruleset right into the snort folder and get the very latest in rules (30 days old), and the most current configurations on any single day.

The registered rule set package doesn't change from the time we package it as a subscriber set, and the time it rolls over to registered. It's the same package, same Ruleset, the complete Ruleset, a delayed version, not a forked version. 

> I’m not sure what’s being distributed in the Subscribers rule set as they may be getting current configuration files along with the current zero day rule releases.

And we have some ideas in this area about how to make default installs super easy. 

> The best guess I can come to is to download the current rule set. Then download the current snort.conf, then download the current classification.config, and then over write those two files in the current rule set. This looks like the only way to get a complete set of current rules and configurations?

If you want the most up to date snort.conf, sure. Which is why I document every change on the blog, so people can see them. Take:


For an example. I don't change the snort.confs very often, and when I do, I try to add several ports at the same time to keep end users's pain to a minimum. 


> Best regards,
> Michael...
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Thursday, January 03, 2013 3:05 PM
> To: Michael Steele
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Persistent problems with rule updates for Registerd Users
> On Jan 2, 2013, at 9:23 PM, Michael Steele <michaels at ...9077...> wrote:
> I just downloaded the latest rule set for the ‘Registered Users’ titled snortrules-snapshot-2940.tar.gz. It STILL contains an OLD snort.conf. It’s missing port assignments, and it still includes the ‘output database’ option.
> The registered users file is 30 days behind the subscribers.  It has an older snort.conf.
> This was a previous problem and there were assurances it was taken care of. Looks like someone is not doing their job?
> That's my job, and yes, it was done.  You are 30 days behind.
>  Can someone pull the Registered Users tarball (snortrules-snapshot-2940.tar.gz) and verify all the rules and configuration files are up-to-date?
> No.  They are 30 days behind.  
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130103/a8b791b8/attachment.html>

More information about the Snort-users mailing list