Snort mailing list archives

Re: Ideal way to update the rules

From: Shirkdog <shirkdog () gmail com>
Date: Wed, 30 Jul 2014 17:29:50 -0400

Having a single rule file is just simpler to maintain. Anything you can do
in a separate file you should be able to accomplish in the single file
(disabling, modifying, enabling, etc.)
On Jul 30, 2014 4:45 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
wrote:

Sorry, I don’t know.  If so, that’s not that great, and I guess the way
around that is to have a separate pulledpork.conf for SO rules than normal
text rules.



Perhaps JJC (Pulledpork author/maintainer) can comment?



*From:* Anshuman Anil Deshmukh [mailto:anshuman () cybage com]
*Sent:* July 30, 2014 11:09 AM
*To:* Jefferson, Shawn; 'snort-users () lists sourceforge net'
*Subject:* RE: [Snort-users] Ideal way to update the rules



Got it. But I see that in pulledpork 0.70 configuration file
(pulledpork.conf) it says “##### Deprecated - The stubs are now
categorically written to the  single rule file!”. So does it mean that
using pulledpork version 0.70 I would not be able to dump the so_rules in a
separate file the way you are able to do it using 0.60? If so, then what is
the solution for me if I am on  pulledpork version 0.70?



Regards,

Anshuman



*From:* Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com
<Shawn.Jefferson () bcferries com>]
*Sent:* Wednesday, July 30, 2014 10:06 PM
*To:* Anshuman Anil Deshmukh; 'snort-users () lists sourceforge net'
*Subject:* RE: [Snort-users] Ideal way to update the rules



Hmmm, pulledpork works fine for me (I’m on 0.60 though).  I have my
so_rules.rules file listed in the local files:



local_rules=/etc/snort/rules/local.rules,/etc/snort/rules/so_rules.rules



So it builds the sid-msg.map properly.



And then, my sostub_path:



sostub_path=/etc/snort/rules/so_rules.rules



I run pulledpork twice a day with the –T parameter, and once a week as
part of a script that updates the SO rules and bounces the snort process.











*From:* Anshuman Anil Deshmukh [mailto:anshuman () cybage com
<anshuman () cybage com>]
*Sent:* July 30, 2014 12:56 AM
*To:* 'snort-users () lists sourceforge net'
*Subject:* Re: [Snort-users] Ideal way to update the rules



Can anybody please tell us how could we just process the text based rules
without disabling the existing shared object rules?





Regards,

Anshuman



*From:* Anshuman Anil Deshmukh [mailto:anshuman () cybage com
<anshuman () cybage com>]
*Sent:* Tuesday, July 29, 2014 1:22 PM
*To:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Ideal way to update the rules



Thank you.



Currently if the –T switch is used then it only processes the text based
rules but it also disables all the existing shared object rules.



Can anybody tell us how could we just process the text based rules on
daily basis using a cron job without disabling the existing shared object
rules? We will update the shared object rules say once or twice a week by
completely stopping the snort process till we are on pf_ring.



Regards,

Anshuman



*From:* Livio Ricciulli [mailto:livio () metaflows com <livio () metaflows com>]

*Sent:* Tuesday, July 29, 2014 1:26 AM
*To:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Ideal way to update the rules



This might be a bit of a project but the way we handle rule updating
without service interruption is to exploit a nice side-effect of pf_ring.
pf_ring distributes packets to multiple snort processes to execute in
parallel; when one of the processes dies the others pickup the slack almost
instantly.
When it is added back it gets its portion of the traffic again. So, we
kill one process at a time every few seconds updating all processes without
ever losing service.
There will be some loss in session states but it is a lot better than no
service.. Getting pf_ring inline to work can be tricky, but once it does,
your get the added benefit
of higher performance also.

Let me know if you need more information on that.

I hope this helps,

Livio.
On 07/28/2014 10:18 AM, Anshuman Anil Deshmukh wrote:

Hi,



I have a couple of questions regarding updating the rules automatically
and then sending a HUP signal to barnyard and Snort after every time we
update the rules.



We intend to use so rules. I understand that the HUP signal cannot be sent
when downloading and processing the so rules, then the only option left is
to stop Barnyard  & Snort completely. In our case we would be having snort
working as inline and hence don’t recommend reinitializing the snort
completely as it would break the network connection (our DAQ is AFPACKET)



Questions:

1.       How regularly are so_rules released and how should they updated
(daily/weekly/any other option)?

2.       How could one keep the so rules as well text based rules updated
with pulledpork? Do we need to have different schedules for updating
so_rules and text based rules? If yes, is it like we need to have separate
configuration files one for text based rules and and other for so_rules ?



We are using Snort version 2.9.6.1 and pulledpork version 0.70





Regards,

Anshuman


"Legal Disclaimer: This electronic message and all contents contain
information from Cybage Software Private Limited which may be privileged,
confidential, or otherwise protected from disclosure. The information is
intended to be for the addressee(s) only. If you are not an addressee, any
disclosure, copy, distribution, or use of the contents of this message is
strictly prohibited. If you have received this electronic message in error
please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to
minimize the risk of malicious content in the mail, but is not liable for
any damage you may sustain as a result of any malicious content in this
e-mail. You should carry out your own malicious content checks before
opening the e-mail or attachment." www.cybage.com



------------------------------------------------------------------------------

Infragistics Professional

Build stunning WinForms apps today!

Reboot your WinForms applications with our WinForms controls.

Build a bridge from your legacy apps to the future.

http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk



_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!




"Legal Disclaimer: This electronic message and all contents contain
information from Cybage Software Private Limited which may be privileged,
confidential, or otherwise protected from disclosure. The information is
intended to be for the addressee(s) only. If you are not an addressee, any
disclosure, copy, distribution, or use of the contents of this message is
strictly prohibited. If you have received this electronic message in error
please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to
minimize the risk of malicious content in the mail, but is not liable for
any damage you may sustain as a result of any malicious content in this
e-mail. You should carry out your own malicious content checks before
opening the e-mail or attachment." www.cybage.com


"Legal Disclaimer: This electronic message and all contents contain
information from Cybage Software Private Limited which may be privileged,
confidential, or otherwise protected from disclosure. The information is
intended to be for the addressee(s) only. If you are not an addressee, any
disclosure, copy, distribution, or use of the contents of this message is
strictly prohibited. If you have received this electronic message in error
please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to
minimize the risk of malicious content in the mail, but is not liable for
any damage you may sustain as a result of any malicious content in this
e-mail. You should carry out your own malicious content checks before
opening the e-mail or attachment." www.cybage.com


"Legal Disclaimer: This electronic message and all contents contain
information from Cybage Software Private Limited which may be privileged,
confidential, or otherwise protected from disclosure. The information is
intended to be for the addressee(s) only. If you are not an addressee, any
disclosure, copy, distribution, or use of the contents of this message is
strictly prohibited. If you have received this electronic message in error
please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to
minimize the risk of malicious content in the mail, but is not liable for
any damage you may sustain as a result of any malicious content in this
e-mail. You should carry out your own malicious content checks before
opening the e-mail or attachment." www.cybage.com


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.

http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Ideal way to update the rules Anshuman Anil Deshmukh (Jul 28)
- Re: Ideal way to update the rules Joel Esler (jesler) (Jul 28)
- Re: Ideal way to update the rules Livio Ricciulli (Jul 28)
  - Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 29)
    - Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 30)
    - Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
    - Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 30)
    - Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
    - Re: Ideal way to update the rules Shirkdog (Jul 30)
    - Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
    - Re: Ideal way to update the rules Y M (Jul 31)