Re: Rate limits on MD5s for snort rules

[Dorian ROSSE via Snort-users <snort-users () lists snort org>]

Perl is the security dev lang

Télécharger Outlook pour Android<https://aka.ms/ghei36>

________________________________
From: Francis Booth <boothf () boothlabs me>
Sent: Friday, July 12, 2019 2:36:00 PM
To: Dorian ROSSE
Cc: Joel Esler (jesler); Snort-users () lists snort org
Subject: Re: [Snort-users] Rate limits on MD5s for snort rules

Joel,

Sounds good, going to implement a local cache of the hashes in that case. I don't expect it to call out all that much 
but one of the features I'm looking to implement would definitely pass that limit so I'm happy I asked before I got too 
far along.


Dorian,

Writing my own implementation mostly as a pet project for myself. PulledPork does seems to have stalled as far as 
getting Snort 3 and OpenAppID rules supported. Since I am not knowledgable in Perl, and the project wanted to move to 
something like Python or Go, I am writing my own alternative which will be open source and available once I've got the 
base features working first. I just wanted to ask before I got too far along or worse hit the abuse page. I do 
appreciate your suggestion though.

Best,
Francis Booth

On Jul 12, 2019 4:49 AM, Dorian ROSSE <dorianbrice () hotmail fr> wrote:
If you want upload trustly I advice you to use pulledpork master which thé good command line

Firstly gone all pulledpork files directorie at the root of the pulledpork master folder,

You will maybe needing to put your oinkcode after all -h set up option in pulledpork files

Pulledpork conf files need just you add the oinkcode instead <oinkcode>

If you want you uncomment rules which a sharp in front of the rules files pulledpork conf

If you have error which pulledpork Perl It is as I advice :

You put the oinkcode in front of "-h" Settings

I Hope you will success my cook,

Regards.


Dorian Rosse.
Télécharger Outlook pour Android<https://aka.ms/ghei36>

________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Joel Esler (jesler) via Snort-users 
<snort-users () lists snort org>
Sent: Thursday, July 11, 2019 5:13:17 PM
To: Francis Booth
Cc: snort-users () lists snort org
Subject: Re: [Snort-users] Rate limits on MD5s for snort rules

Hello Francis,

First, we only publish rules two or three times a week (at most once a day for the community rules), and when we 
publish more than that, we make an announcement about it.

Second, once an hour is plenty sufficient.  The rule is if you make more than 7 requests in 5 minutes, you are blocked 
for a period of time.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com

On Jul 11, 2019, at 9:57 AM, Francis Booth via Snort-users <snort-users () lists snort org<mailto:snort-users () lists 
snort org>> wrote:

Hello all,

Just reaching out as I wasn't sure what the consensus was on how often you could fetch the md5s for snort rules and not 
fall into the abuse page.

I'm aware that downloading of the rules is requested to be once in a given hour but didn't know if that was also the 
case on MD5s checks as well.


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette