Re: Persistent problems with rule updates for Registerd Users

[Joel Esler <jesler () sourcefire com>]

On Jan 4, 2013, at 12:55 PM, "Michael Steele" <michaels () winsnort com> wrote:

> On the day Sourcefire released Snort 2.9.4.0 to the general public all distributions, including the rule set for both 
> groups should have contained the very latest ‘CURRENT’ configuration files for Snort 2.9.4.0, but they didn’t 
> (snort.conf contained reference to ‘output database’, and there were missing port assignments).

I simply forgot to delete those lines.  I apologize on behalf of Sourcefire for forgetting to remove those 
non-functional lines.   Sorry if that sounds a little snarky, but they were nonfunctional. 

As far as missing port assignments, I'm quite sure that they weren't missing port assignments at the time of release.  
They are now, as I've added ports since the time of release, but those changes would only affect a very small number of 
rules (probably 5 or 6) that aren't going to be in the registered rule release anyway until the snort.conf that goes 
with those rules rolls into registered anyway and everything is good to go.  We aren't going to reroll the tarball 
every time I make a change to the snort.confs.

So, here's our alternatives.  

1. We can subtract the snort.conf, classification, threshold, reference, etc, from the tarball and distribute it only 
with the rules, which means that you
A)  can't get a working Snort out of the box
B)  MUST download the VRT rules in order to get Snort to work
C)  Neither of these solutions would work for anyone.

2.  We can subtract the snort.conf, classification, etc, from the rule tarball and distribute it only with the Snort 
tarball, which means that
A)  We have no way to update it detection once Snort has been shipped.
B)  Everyone gets screwed.

3.  We can prevent different snort.confs, classification, etc from existing.  We'll work on that.

4.  We can make Snort easier to set up by automating a lot of this.  Unfortunately, we won't be doing that for Windows 
users, as we're not going to compile our Shared Object rules for the Windows platform.  Should be easy enough for you 
to batch script up something for your "WinIDS" users though.

>  After the initial release of Snort 2.9.4.0; to make SURE the end users have access to all the ‘CURRENT’ 
> configurations files on any given day, why not just merge all the ‘CURRENT’ configuration files when new rules are 
> added to each group.

Not sure what you mean here.

When we release a new version of Snort the snort.conf that is shipped with the tarball should be up to date with the 
VRT snort.conf and that VRT snort.conf is what is in the tarball and what I put on the website.  I have a bug into 
development now to see if we can rectify this in the future so it can't happen anymore.  

> There should be no reason why a new user can’t just grab the Snort executable, latest rule set (they are entitled 
> to), install Snort, extract the rule set into the snort folder, and end up with all ‘CURRENT’ configuration files 
> that were relevant from the previous day.

They can.  I don't see what you are saying here.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!