Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulled Pork

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 31 Oct 2012 09:31:49 -0400
On Oct 30, 2012, at 8:22 PM, waldo kitty <wkitty42 () windstream net> wrote:

On 10/30/2012 16:25, Joel Esler wrote:

On Oct 30, 2012, at 12:02 PM, waldo kitty wrote:

On 10/30/2012 10:55, Joel Esler wrote:


We have the 15 minute delay in place, as there are some people who like to
download the entire ruleset every 5 seconds.


i highly suspect that these are folks with bad cron entries... you'd think
they'd be aware of the problem but obviously

1) they are not OR
2) they do not care OR
3) they are trying to cause problems ie: (d)dos anyone?


I believe it's #1. They don't know the problem exists. I've written a few of
them, and a couple of them have corrected the issue, we have one who
acknowledged the problem and is going to fix it (don't know when),


not trying to be nosy but this is out of how many unique oinkcodes abusing the 
services like this?


A lot.  The amount of people still cron'ed to download extremely old versions of the ruleset is in the thousands.


and some that haven't acknowledged at all.

And some, whose emails just bounced.


i'd bet that if those oinkcodes were disabled they'd wake up... or maybe feed 
them a "rules archive" with a file inside that states the problem, that their 
registered email address is no longer valid and why the code has been set to 
redirect to this non-rules archive ;)

HA! or even a rule or rules that alerts on traffic and has a message that would 
point out to them the problem... if they are watching their snort output, that 
would definitely get their attention ;) ;) ;)


I've thought about these things, but there's some steps that have to be taken first in order to get to that.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: