[Snort-users] Persistent problems with rule updates for Registerd Users

Joel Esler jesler at ...1935...
Fri Jan 4 10:27:33 EST 2013

On Jan 3, 2013, at 11:51 PM, Jeff Kell <jeff-kell at ...6282...> wrote:
> On 1/3/2013 11:40 PM, Joel Esler wrote:
>> The registered rule set package doesn't change from the time we
>> package it as a subscriber set, and the time it rolls over to
>> registered. It's the same package, same Ruleset, the complete Ruleset,
>> a delayed version, not a forked version.
> And if there are any "buggy" rules in the original set, you won't get
> the "fixes" for 30 days either.  Fixes/revisions aren't retroactive.

(Going to try and reply to this whole thread at once)

That is correct.  Again, The free product is a delayed tarball.  

Think of it like this.  (This isn't how it actually works, but it's a simplistic explanation)

We have a directory dated "20130104", in there contains the 4 current rule tarball builds.  After 30 days, that directory is then made available to the registered users download.  Essentially if you think of it like a shell script that just moves the directory to a different place.  Again, not how it works, but hopefully you get the point.

The rules will stay there until there is no more space on the drive, then they are cleaned up, oldest first.

For instance, we've had thousands of downloads of the 2912 ruleset in the past 60 days from people whom have not upgraded or have not changed pulledpork/oinkmaster to point at the new version.  We leave them there even after EOL until we can't hold them anymore.  They just are no longer updated after EOL.  Heck, one of our most popular rulesets is 2923, and that will be EOL at the end of February.

Most people are one version back.  (current is 2940, so I mean 2931 in this case).  Either this is because they are downloading the 2931 ruleset because they haven't upgraded yet, haven't changed their pulledpork/oinkmaster config (this is usually the reason I've found) or they just haven't plain upgraded.  We even have people that haven't changed the format of their download url yet (like: snortrules-snapshot-2931_s.tar.gz, if you remember the _s nomenclature for downloading), hundreds of people.

Now, when we release a new version (, we release the subscriber set right away of course. The registered users get the ruleset for that specific version 30 days later.  The plaintext 2931 ruleset will still work in 2940.  I say plaintext because sometimes there is a compatibility upgrade in the few SO rules that we have that won't work in a newer version, but most of the time, they will still work.

We've considering fixing this a number of ways, but no way we have come up with either makes it simpler for the user or doesn't align with our current business model.  

I say current because it may not always be that way.  We are making some changes soon that will help out the vast majority of users (especially in terms of what Jeff is referencing above).  I don't have a release date for this yet, but rest assured when it comes out, I'll make a big noise about it.

It may not always be this way, and we are looking at ways to improve the process for users.  We've heard the complaints from people that it's just too difficult to get Snort up and running.  There's some work we can do here at Sourcefire to make it easy for people, and we are going to do that, but at the end of the day, this is an IPS.  This is something you have to maintain and groom.  It will require changing from time to time to keep pace with current threats and upgrades.  I try to keep everyone as informed as I can via the Snort blog, this mailing list and Twitter.  I don't know how else to possibly alert you to changes.

Please, if you have a suggestion I am all ears.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130104/718242ce/attachment.html>

More information about the Snort-users mailing list