Snort mailing list archives
Re: Ideal way to update the rules
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 28 Jul 2014 17:31:41 +0000
On Jul 28, 2014, at 1:18 PM, Anshuman Anil Deshmukh <anshuman () cybage com> wrote:
I have a couple of questions regarding updating the rules automatically and then sending a HUP signal to barnyard and Snort after every time we update the rules. We intend to use so rules. I understand that the HUP signal cannot be sent when downloading and processing the so rules, then the only option left is to stop Barnyard & Snort completely. In our case we would be having snort working as inline and hence don’t recommend reinitializing the snort completely as it would break the network connection (our DAQ is AFPACKET) Questions: 1. How regularly are so_rules released and how should they updated (daily/weekly/any other option)?
We release the ruleset on Tuesday and Thursdays, sometimes more often, Shared Object rules can be updated at any time, but you are right, they are much less frequent.
2. How could one keep the so rules as well text based rules updated with pulledpork? Do we need to have different schedules for updating so_rules and text based rules? If yes, is it like we need to have separate configuration files one for text based rules and and other for so_rules ?
Pulledpork handles the updates for both Shared object and text rules.
We are using Snort version 2.9.6.1 and pulledpork version 0.70
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Ideal way to update the rules Anshuman Anil Deshmukh (Jul 28)
- Re: Ideal way to update the rules Joel Esler (jesler) (Jul 28)
- Re: Ideal way to update the rules Livio Ricciulli (Jul 28)
- Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 29)
- Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 30)
- Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
- Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 30)
- Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
- Re: Ideal way to update the rules Shirkdog (Jul 30)
- Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
- Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 29)
- Re: Ideal way to update the rules Y M (Jul 31)