Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rules downloads and scalability

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 18 Sep 2006 11:18:25 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FYI, every once in a while we were getting people who didn't know how  
to configure cron who were trying to download rule updates every  
second.  Since we update rules typically on a daily basis at best, 15  
minutes ought to work pretty well for everyone...

      -Marty

On Sep 18, 2006, at 9:21 AM, Eric Hines wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I do want to add to my comment. I do understand Sourcefire's reasoning
for doing this. With the number of times Snort has been downloaded and
half that number of people were checking our web site multiple times a
day (I hear its as excessive as every 10 mins), I too would have put a
mechanism in place to prevent it.

Also, I took a closer look at the Sourcefire message for download
limiting. It seems to be every 15 minutes. I think if anyone downloads
new rules more often than every 15 minutes, something needs to be  
changed :)

- -------------- snip -------------

Next download available at: 2006-09-18 09:33:54 (Currently: 2006-09-18
09:18:55)

You don't have permission to access
/pub-bin/downloads.cgi/Download/vrt_os/snortrules- 
snapshot-2.4.tar.gz on
this server.

- -------------- snap -------------


Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines () appliedwatch com
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise





Eric Hines wrote:

Jason,

Its not limiting specific to Oinkmaster. Applied Watch began  
seeing this
a few weeks ago through regular rule downloads with our Command  
Center
using specific Oink Code. Sourcefire seems to be limiting user- 
specific
Oink Code to download rules only once a day.

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 221
Crystal Lake, IL 60014
Tel: (877) 262-7593
Web: http://www.appliedwatch.com

Jason Haar wrote:

I notice the "www.snort.org/pub-bin/oinkmaster.cgi" script has  
some form
of download limiting component (to stop people like me repeatably
downloading the same live data while editing/updating local  
scripts - ahem).

Anyway, such scaling issues happen. I'd like to suggest that  
Sourcefire
look to ClamAV to see how they handled people hammering their  
servers
looking for updates that didn't exist (i.e. they were already up to
date). Their rules basically have a serial number and they put  
that into
a DNS record, and then their freshclam update daemon looks to  
that DNS
record before deciding to actually do a HTTP connection to  
download an
update. Than plus some time-of-day randomization and load sharing  
should
go a loooong way on the scalability side...

Just an idea.





--------------------------------------------------------------------- 
----
Using Tomcat but need to do more? Need to support web services,  
security?
Get stuff done quickly with pre-integrated technology to make your  
job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache  
Geronimo
http://sel.as-us.falkag.net/sel? 
cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFDp1u1va6QYTV0EMRAnAhAJ4zWwA9A9cllGydztaCGnxM4pBPDACcDC6E
HxZN2OTS2R1ZwYTGXCSWvLM=
=h5NC
-----END PGP SIGNATURE-----
<eric.hines.vcf>
---------------------------------------------------------------------- 
---
Using Tomcat but need to do more? Need to support web services,  
security?
Get stuff done quickly with pre-integrated technology to make your  
job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache  
Geronimo
http://sel.as-us.falkag.net/sel? 
cmd=lnk&kid=120709&bid=263057&dat=121642______________________________ 
_________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFDrjBqj0FAQQ3KOARApjcAJ0Whha6kOjETlSUNG57l6I9gj/mAACfRR5v
TwB7ei/tB75RoRtL7gOEJ9o=
=qC5G
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: