Re: Persistent problems with rule updates for Registerd Users

["Michael Steele" <michaels () winsnort com>]

Right now I’m distributing files mainly to new users that are putting together a Windows Intrusion Detection System 
(WinIDS). Every time I update any one of the  support files in the files package I include the current rule set. So 
along with downloading the current rule set, I now have to download the snort.conf, and the classification.config so 
there are getting all the current configuration files. I also have to include extra instruction in the guided installs. 
They first have to install the Snort executable, which includes all the configuration files, then they have to extract 
the rules into the snort folder over writing all the configuration files, and finally they have to copy the current 
snort.conf, and the classification.config files to the snort/etc folder, again over writing the same configuration 
files.
 
All that needs to be done is to make sure that when new rules are added to both groups that the current configurations 
are also included.
 
Also, when Snort 2.9.4.0 was released there was a new rule set added to the Subscribers group matching the new Snort 
release, but not to the Registered Users group. Shouldn’t that same file be added to the Registered Users group, 
removing the Subscribers set of rules, and replacing those with the most current rules that the Registered Users are 
entitled to. Seems that downloading Snort 2.9.4.0 should be accompanied by the matching 2.9.4.0 rule set, no matter 
what group you’re in, and this way both groups are assured to get all the current configurations for the new release, 
it would also be less confusing for new users trying to figure out which rule set they need.
 
Right now I have something in place that takes care of my new users getting all the most current rules and 
configuration, but it’s rather confusing to new users coming to the snort.org site. Well, maybe not confusing, but 
today when they download the Snort executable along with the current rule set they are not really getting the  current 
configuration files.
 
Best regards,
Michael...
 
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Thursday, January 03, 2013 11:40 PM
To: Michael Steele
Cc: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Persistent problems with rule updates for Registerd Users
 
On Jan 3, 2013, at 11:20 PM, "Michael Steele" < <mailto:michaels () winsnort com> michaels () winsnort com> wrote:
 
Here is the problem.
 
1)      The snort binary contains a snort.conf , classification.config, reference.config, and a threshold.conf
 
Which is current at the time of Tarball build. 



2)      The rules tarball contain a snort.conf , classification.config, reference.config, and a threshold.conf
 
Which is current as of /that/ Tarball.   The subscriber set is the same as below:
 



3)      The  <http://snort.org> snort.org site has a downloadable snort.conf and also a classification.config
 
The most up to date. 



 
The snort.conf in in all three location above ALL different.
 
If you want to be the most up to date, then use the ones on  <http://snort.org> snort.org's page. But registered users 
can download the registered users rule pack, use that snort.conf and be good to go. 
 
The difference is really minimal. A couple of ports here and there. In the grand scheme of things, not gigantic. If 
there was something major we need to add in between major versions of Snort, of course that would be put out on  
<http://snort.org> snort.org and the snort blog. As I do with every single change I make to the snort.conf. 



 
The classification.config in location 1 and 2 above are different. However, the classification.config in location 1 
matches location 3.
 
I'll look at that. 


 
The reference.config in location 1 and 2 above are different.
 
The threshold.conf in location 1 and 2 above are different.
 
Interesting.  
 
All the above bring said, the last time you brought up this topic we put in procedures that should help the next 
version of release, to prevent this kind of thing. But this is a collaboration between several departments here at 
Sourcefire, and we're getting it squared away, rest assured. 



 
Why is it that both groups are having  the rules tarball updated on a daily basis, but they are not having the 
configuration files update to be current for that day? It really doesn’t matter what files are in the Snort binaries, 
as long as all the files in the rule sets are current for the day.
 
See above. 
 



 As a new Registered User, shouldn’t the they be able to download the latest snort binary, download the latest rule 
set, extract the latest ruleset right into the snort folder and get the very latest in rules (30 days old), and the 
most current configurations on any single day.
 
The registered rule set package doesn't change from the time we package it as a subscriber set, and the time it rolls 
over to registered. It's the same package, same Ruleset, the complete Ruleset, a delayed version, not a forked version. 



I’m not sure what’s being distributed in the Subscribers rule set as they may be getting current configuration files 
along with the current zero day rule releases.
 
And we have some ideas in this area about how to make default installs super easy. 



 
The best guess I can come to is to download the current rule set. Then download the current snort.conf, then download 
the current classification.config, and then over write those two files in the current rule set. This looks like the 
only way to get a complete set of current rules and configurations? 
 
If you want the most up to date snort.conf, sure. Which is why I document every change on the blog, so people can see 
them. Take:
 
 <http://blog.snort.org/2012/12/sourcefire-vrt-certified-snort-rules_21.html> 
http://blog.snort.org/2012/12/sourcefire-vrt-certified-snort-rules_21.html



For an example. I don't change the snort.confs very often, and when I do, I try to add several ports at the same time 
to keep end users's pain to a minimum. 



J



 
Best regards,
Michael...
 
From: Joel Esler [ <mailto:jesler () sourcefire com> mailto:jesler () sourcefire com] 
Sent: Thursday, January 03, 2013 3:05 PM
To: Michael Steele
Cc:  <mailto:snort-users () lists sourceforge net> snort-users () lists sourceforge net
Subject: Re: [Snort-users] Persistent problems with rule updates for Registerd Users
 
On Jan 2, 2013, at 9:23 PM, Michael Steele < <mailto:michaels () winsnort com> michaels () winsnort com> wrote:




I just downloaded the latest rule set for the ‘Registered Users’ titled  <https://www.snort.org/downloads/2117> 
snortrules-snapshot-2940.tar.gz. It STILL contains an OLD snort.conf. It’s missing port assignments, and it still 
includes the ‘output database’ option.
 
The registered users file is 30 days behind the subscribers.  It has an older snort.conf.




This was a previous problem and there were assurances it was taken care of. Looks like someone is not doing their job?
 
That's my job, and yes, it was done.  You are 30 days behind.




 Can someone pull the Registered Users tarball ( <https://www.snort.org/downloads/2117> 
snortrules-snapshot-2940.tar.gz) and verify all the rules and configuration files are up-to-date?
 
No.  They are 30 days behind.  
 
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!