Snort mailing list archives
Re: Persistent problems with rule updates for Registerd Users
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Jan 2013 13:53:20 -0500
On Jan 4, 2013, at 12:55 PM, "Michael Steele" <michaels () winsnort com> wrote:
On the day Sourcefire released Snort 2.9.4.0 to the general public all distributions, including the rule set for both groups should have contained the very latest ‘CURRENT’ configuration files for Snort 2.9.4.0, but they didn’t (snort.conf contained reference to ‘output database’, and there were missing port assignments).
I simply forgot to delete those lines. I apologize on behalf of Sourcefire for forgetting to remove those non-functional lines. Sorry if that sounds a little snarky, but they were nonfunctional. As far as missing port assignments, I'm quite sure that they weren't missing port assignments at the time of release. They are now, as I've added ports since the time of release, but those changes would only affect a very small number of rules (probably 5 or 6) that aren't going to be in the registered rule release anyway until the snort.conf that goes with those rules rolls into registered anyway and everything is good to go. We aren't going to reroll the tarball every time I make a change to the snort.confs. So, here's our alternatives. 1. We can subtract the snort.conf, classification, threshold, reference, etc, from the tarball and distribute it only with the rules, which means that you A) can't get a working Snort out of the box B) MUST download the VRT rules in order to get Snort to work C) Neither of these solutions would work for anyone. 2. We can subtract the snort.conf, classification, etc, from the rule tarball and distribute it only with the Snort tarball, which means that A) We have no way to update it detection once Snort has been shipped. B) Everyone gets screwed. 3. We can prevent different snort.confs, classification, etc from existing. We'll work on that. 4. We can make Snort easier to set up by automating a lot of this. Unfortunately, we won't be doing that for Windows users, as we're not going to compile our Shared Object rules for the Windows platform. Should be easy enough for you to batch script up something for your "WinIDS" users though.
After the initial release of Snort 2.9.4.0; to make SURE the end users have access to all the ‘CURRENT’ configurations files on any given day, why not just merge all the ‘CURRENT’ configuration files when new rules are added to each group.
Not sure what you mean here. When we release a new version of Snort the snort.conf that is shipped with the tarball should be up to date with the VRT snort.conf and that VRT snort.conf is what is in the tarball and what I put on the website. I have a bug into development now to see if we can rectify this in the future so it can't happen anymore.
There should be no reason why a new user can’t just grab the Snort executable, latest rule set (they are entitled to), install Snort, extract the rule set into the snort folder, and end up with all ‘CURRENT’ configuration files that were relevant from the previous day.
They can. I don't see what you are saying here. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Persistent problems with rule updates for Registerd Users, (continued)
- Re: Persistent problems with rule updates for Registerd Users Russ Combs (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Jeff Kell (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Jeff Kell (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Jeff Kell (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)
- Re: Persistent problems with rule updates for Registerd Users Russ Combs (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Michael Steele (Jan 03)
- Re: Persistent problems with rule updates for Registerd Users Joel Esler (Jan 04)