Snort mailing list archives
Re: rules update schedule (was: Re: so_rule problem)
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Fri, 1 Oct 2010 14:04:00 -0400
On Fri, 01 Oct 2010 13:35:59 -0400, waldo kitty wrote:
On 10/1/2010 13:14, Nigel Houghton wrote:On Fri, 01 Oct 2010 12:37:14 -0400, waldo kitty wrote:i had similar discussion to this some time back in another venue and at that time the question was does VRT update the "registered" rules snapshot every day so that there's a "rolling release" or do they simply wait and do one release every 30 days... AIR, no one ever answered that question or provided a pointer to where it might be answered...Didn't see that question, but to answer it. The roll over is automatic.yeah, i think it was before i joined the SF lists so you're off the hook :P i guess what i'm really trying to dig out is the answers to the following questions... 1. are rules released daily or are they held and released in batches once a week or month?
The schedule is roughly twice a week (Tuesday's and Thursday's). That can change though, sometimes more often, sometimes once a week. We'll always try to get something out for 0day stuff immediately though. Remember, we do rigorous testing on rules, the regression suite goes through millions of tests and if something fails horribly, it can delay releases. We were thinking of introducing numbering for the rule pack releases (like we have for the Sourcefire 3D releases) but that might create more confusion as folks would see missing numbers as certain builds don't make it into release. We figure finding rule packs by date is easy enough anyway, the only time that gets confusing is in the rare occurrence where two or more rule releases are issued on the same day. Which has happened on some occasions.
2. can you list possible reasons why an initial update connection may be 403'd and the 15 minute delay initiated?
Don't know. Try contacting snort-site () sourcefire com for answers to those questions. We do not control the backend (or frontend) systems.
3. is it possible that even after waiting out the 15 minute delay that one might be 403'd again?
Don't know. Try contacting snort-site () sourcefire com for answers to those questions. We do not control the backend (or frontend) systems.
4. will we see the return of the reason for the 403 and the try again in X minutes in the 403 messages or will they remain plain jane 403's with no information that can be passed back to the user via message or logs?
Don't know. Try contacting snort-site () sourcefire com for answers to those questions. We do not control the backend (or frontend) systems.
the answers could greatly help with eliminating unnecessary updating schedules and traffic...
I think if you work on the assumption that rules will get updated on Tuesday's and Thursday's you'll be good to go. Of course, everything that you do automatically should have the option to run manually should it be necessary. Keep an eye on the snort-sigs list or the blog or snort.org (there's an RSS feed for rule release info at http://www.snort.org/vrt/advisories.xml) to see if you should manually update for something that falls outside the normal schedule.
thanks for your time and attention in this! ;)
Yep. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- so_rule problem Jimmy Tharel (Oct 01)
- Re: so_rule problem Nigel Houghton (Oct 01)
- Re: so_rule problem waldo kitty (Oct 01)
- Re: so_rule problem Nigel Houghton (Oct 01)
- rules update schedule (was: Re: so_rule problem) waldo kitty (Oct 01)
- Re: rules update schedule (was: Re: so_rule problem) Nigel Houghton (Oct 01)
- Re: so_rule problem Nigel Houghton (Oct 01)