Re: VRT Rules snapshot-CURRENT.tar.gz Download Error?

["Jeff Dell" <jdell () activeworx com>]

The problem with once a week is what happens if you check on Monday at 8am
and the rules are updated on Monday at 8:05? You won't get any updates for 2
weeks. It would be really great to have something like a checksum that will
be available to see if there is a change in the rules file. This way users
know exactly when an update has occurred and even if they check it every 15
minutes they will be checking a tiny file as compared to 90megs+ file. Then
incorporating this into your favorite update utility will make updates very
fast most of the time as there won't be an update to the file, and would
severely lower the bandwidth that snort.org needs.

 

Cheers,

Jeff

 

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Friday, May 29, 2009 12:35 PM
To: jlay () slave-tothe-box net
Cc: Snort Users List
Subject: Re: [Snort-users] VRT Rules snapshot-CURRENT.tar.gz Download Error?

 

On Fri, May 29, 2009 at 12:12 PM, <jlay () slave-tothe-box net> wrote:

> I spoke to our IT guys - sorry, This isn't possible.
>
> I also want to thank everyone for the great feedback so far.
>
> On Thu, May 28, 2009 at 5:49 PM, Sethsec <sethsec () gmail com> wrote:
>
> > It looks like you guys are redirecting the initial request to
> > www.snort.org
> >  to dl.snort.org. Is there anyway you can do that redirection "behind
> > the scenes" do I don't have to add the .34 to a butt load of outgoing
> > fw rules?

My question now is, what's the best timeframe for updating rules?  I have
a script that downloads the rules once a week (via oinkmaster)...should I
change that to something different?  Is there a way to diff the rules or
tarball on a box and compare to what's online before downloading?  How can
end users lighten the load on the snort.org site?  Just a few questions I
guess.

 

Good questions, and I hope everyone is paying attention to this thread so we
can lighten the load.  

 

I personally have a system that only runs when I get the rule email from the
VRT.  I run it manually.  I have just automated my scripts to run, download
the rules, create a new sid-msg.map file with my custom rules in it, restart
barnyard and restart Snort.  Rule releases come out about every two weeks or
so, depending upon the threats on the internet that the VRT has to cover.  I
think once a week is a fine frequency for keeping it automated.  Depending
upon your environment, VRT releases rules to cover Microsoft vulnerabilities
on Patch Tuesday (Second Tuesday of every month), so shortly after this rule
release might be a good idea.  

 

It's the once a minute, or once every 15 minute people we have to be
concerned about.  Once a day is fine, but in reality, rules aren't going to
be released that often.  I think once a week is a good frequency.

 

-- 
joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974

------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users