[Snort-users] Community Ruleset Clarification
michaels at ...9077...
Sat Mar 30 14:28:13 EDT 2013
Just grabbed the latest SVN of PulledPork and will try it out.
From: Joel Esler [mailto:jesler at ...1935...]
Sent: Saturday, March 30, 2013 2:12 PM
To: Michael Steele
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Community Ruleset Clarification
On Mar 30, 2013, at 12:40 PM, "Michael Steele" <michaels at ...9077... <mailto:michaels at ...9077...> > wrote:
The Community Rule set:
Is the Community Rules download maintained to be an exact duplicate of what’s in the Subscribers Release on any given day?
The community Ruleset is generated daily. The subscriber set is generated twice a week. So there will be periods when a couple of the rules in the community Ruleset will be more up to date than subscriber, but only for a couple days at the most.
If I’m reading the information correctly; It appears that the Community Rules are built right into the Subscribers Release, but not into the Registered Users Release. Is there a reason why this is not happening with the Registered Users Release?
The community Ruleset is a subset of the master Ruleset (subscriber). Don't think of them as "built into" the subscriber set. Think of them as extracted from the subscriber set. Daily.
They are in the registered release. But the rule pack that registered users are downloading was generated a month ago. So they are 30 days old. Registered should use both registered and community for the most up to date rules that are in the community Ruleset.
This may change in the future. Planning is taking place.
If the above is correct, can the Community Rules be Pulled using PulledPork?
Yes. The svn version of pulledpork has it built in. A new release should be soon. The details are in my blog post. http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users