Re: rules downloads and scalability

[Eric Hines <eric.hines () appliedwatch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I suppose Sourcefire's thinking is, which I think makes sense, say you
download new rules at 9am and a new worm or pretty nasty exploit
surfaces at noon. Then, new Snort signatures are released at 3:00pm. If
it were limited to once a day, you wouldn't be able to grab those rules
until 12:01am the next day :/

But then again, you wouldn't be able to get them that quickly unless you
were a VRT paid subscriber.. so that doesn't make sense.. :/ hmm..  I
can't answer that one..

Ok, here's another idea :) You have several Snort management solutions,
each with its own method of managing Snort rules (we've got several
customers like this) where you use your oink code to download rules for
Snort management solution A and then you need to do the same for Snort
management solution B. You can't download rules for B until the next
day, so B will always be 1 day behind.

That about does it for me :) I suppose the answer to your question is,
why not? Why tie people's hands more than you actually need to.. if
every 15 minutes addresses the issue for Sourcefire, why do it longer
like 24 hours?

Just my 2 cents..


Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines () appliedwatch com
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise





Paul Schmehl wrote:
> --On Monday, September 18, 2006 11:18:25 -0400 Martin Roesch
> <roesch () sourcefire com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > FYI, every once in a while we were getting people who didn't know how
> > to configure cron who were trying to download rule updates every
> > second.  Since we update rules typically on a daily basis at best, 15
> > minutes ought to work pretty well for everyone...
> What's wrong with once a day?  Is getting new rules into snort really
> *that* critical????
>
> Sheesh.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFDsPx1va6QYTV0EMRAqmoAJ4g+kUAt36LkeoOxrmtWMppv7bVGwCeObmL
pzZ18zkTBYyhozLmoBBiKWk=
=f8H7
-----END PGP SIGNATURE-----

Attachment: eric.hines.vcf
Description:

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users