Snort mailing list archives
Re: Persistent problems with rule updates for Registerd Users
From: "Michael Steele" <michaels () winsnort com>
Date: Fri, 4 Jan 2013 00:40:10 -0500
Right now I’m distributing files mainly to new users that are putting together a Windows Intrusion Detection System (WinIDS). Every time I update any one of the support files in the files package I include the current rule set. So along with downloading the current rule set, I now have to download the snort.conf, and the classification.config so there are getting all the current configuration files. I also have to include extra instruction in the guided installs. They first have to install the Snort executable, which includes all the configuration files, then they have to extract the rules into the snort folder over writing all the configuration files, and finally they have to copy the current snort.conf, and the classification.config files to the snort/etc folder, again over writing the same configuration files. All that needs to be done is to make sure that when new rules are added to both groups that the current configurations are also included. Also, when Snort 2.9.4.0 was released there was a new rule set added to the Subscribers group matching the new Snort release, but not to the Registered Users group. Shouldn’t that same file be added to the Registered Users group, removing the Subscribers set of rules, and replacing those with the most current rules that the Registered Users are entitled to. Seems that downloading Snort 2.9.4.0 should be accompanied by the matching 2.9.4.0 rule set, no matter what group you’re in, and this way both groups are assured to get all the current configurations for the new release, it would also be less confusing for new users trying to figure out which rule set they need. Right now I have something in place that takes care of my new users getting all the most current rules and configuration, but it’s rather confusing to new users coming to the snort.org site. Well, maybe not confusing, but today when they download the Snort executable along with the current rule set they are not really getting the current configuration files. Best regards, Michael... From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, January 03, 2013 11:40 PM To: Michael Steele Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Persistent problems with rule updates for Registerd Users On Jan 3, 2013, at 11:20 PM, "Michael Steele" < <mailto:michaels () winsnort com> michaels () winsnort com> wrote: Here is the problem. 1) The snort binary contains a snort.conf , classification.config, reference.config, and a threshold.conf Which is current at the time of Tarball build. 2) The rules tarball contain a snort.conf , classification.config, reference.config, and a threshold.conf Which is current as of /that/ Tarball. The subscriber set is the same as below: 3) The <http://snort.org> snort.org site has a downloadable snort.conf and also a classification.config The most up to date. The snort.conf in in all three location above ALL different. If you want to be the most up to date, then use the ones on <http://snort.org> snort.org's page. But registered users can download the registered users rule pack, use that snort.conf and be good to go. The difference is really minimal. A couple of ports here and there. In the grand scheme of things, not gigantic. If there was something major we need to add in between major versions of Snort, of course that would be put out on <http://snort.org> snort.org and the snort blog. As I do with every single change I make to the snort.conf. The classification.config in location 1 and 2 above are different. However, the classification.config in location 1 matches location 3. I'll look at that. The reference.config in location 1 and 2 above are different. The threshold.conf in location 1 and 2 above are different. Interesting. All the above bring said, the last time you brought up this topic we put in procedures that should help the next version of release, to prevent this kind of thing. But this is a collaboration between several departments here at Sourcefire, and we're getting it squared away, rest assured. Why is it that both groups are having the rules tarball updated on a daily basis, but they are not having the configuration files update to be current for that day? It really doesn’t matter what files are in the Snort binaries, as long as all the files in the rule sets are current for the day. See above. As a new Registered User, shouldn’t the they be able to download the latest snort binary, download the latest rule set, extract the latest ruleset right into the snort folder and get the very latest in rules (30 days old), and the most current configurations on any single day. The registered rule set package doesn't change from the time we package it as a subscriber set, and the time it rolls over to registered. It's the same package, same Ruleset, the complete Ruleset, a delayed version, not a forked version. I’m not sure what’s being distributed in the Subscribers rule set as they may be getting current configuration files along with the current zero day rule releases. And we have some ideas in this area about how to make default installs super easy. The best guess I can come to is to download the current rule set. Then download the current snort.conf, then download the current classification.config, and then over write those two files in the current rule set. This looks like the only way to get a complete set of current rules and configurations? If you want the most up to date snort.conf, sure. Which is why I document every change on the blog, so people can see them. Take: <http://blog.snort.org/2012/12/sourcefire-vrt-certified-snort-rules_21.html> http://blog.snort.org/2012/12/sourcefire-vrt-certified-snort-rules_21.html For an example. I don't change the snort.confs very often, and when I do, I try to add several ports at the same time to keep end users's pain to a minimum. J Best regards, Michael... From: Joel Esler [ <mailto:jesler () sourcefire com> mailto:jesler () sourcefire com] Sent: Thursday, January 03, 2013 3:05 PM To: Michael Steele Cc: <mailto:snort-users () lists sourceforge net> snort-users () lists sourceforge net Subject: Re: [Snort-users] Persistent problems with rule updates for Registerd Users On Jan 2, 2013, at 9:23 PM, Michael Steele < <mailto:michaels () winsnort com> michaels () winsnort com> wrote: I just downloaded the latest rule set for the ‘Registered Users’ titled <https://www.snort.org/downloads/2117> snortrules-snapshot-2940.tar.gz. It STILL contains an OLD snort.conf. It’s missing port assignments, and it still includes the ‘output database’ option. The registered users file is 30 days behind the subscribers. It has an older snort.conf. This was a previous problem and there were assurances it was taken care of. Looks like someone is not doing their job? That's my job, and yes, it was done. You are 30 days behind. Can someone pull the Registered Users tarball ( <https://www.snort.org/downloads/2117> snortrules-snapshot-2940.tar.gz) and verify all the rules and configuration files are up-to-date? No. They are 30 days behind. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Persistent problems with rule updates for Registerd Users, (continued)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Jeff Kell (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Jeff Kell (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)