Snort mailing list archives
Re: Rate limits on MD5s for snort rules
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 13 Jul 2019 15:52:44 +0000
On the oinkcode page, we make per sensor crontab randomized times for you. That way you don’t run afoul of the rate limiter, nor do we have everyone hitting the site all at once. Sent from my iPhone
On Jul 13, 2019, at 07:14, Francis Booth <boothf () boothlabs me> wrote: Just working on the hash checking function. My goal is that what I'm building could manage multiple snort sensors, download new rules regularly, track sensor rules and snort versions, and push those rules out to each sensor. With the prototype I built in Ruby it pulls the latest hashes from snort whenever I run the hash checking so one sensor isn't bad but if 5 did it at once it would land me on abuse page. The final polished version won't be making that many requests and will be in Rust. On Jul 12, 2019 3:33 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote: What are you doing that you need to check the md5 that much? Sent from my iPad On Jul 12, 2019, at 13:03, Francis Booth <boothf () boothlabs me> wrote: Joel, Sounds good, going to implement a local cache of the hashes in that case. I don't expect it to call out all that much but one of the features I'm looking to implement would definitely pass that limit so I'm happy I asked before I got too far along. Dorian, Writing my own implementation mostly as a pet project for myself. PulledPork does seems to have stalled as far as getting Snort 3 and OpenAppID rules supported. Since I am not knowledgable in Perl, and the project wanted to move to something like Python or Go, I am writing my own alternative which will be open source and available once I've got the base features working first. I just wanted to ask before I got too far along or worse hit the abuse page. I do appreciate your suggestion though. Best, Francis Booth On Jul 12, 2019 4:49 AM, Dorian ROSSE <dorianbrice () hotmail fr> wrote: If you want upload trustly I advice you to use pulledpork master which thé good command line Firstly gone all pulledpork files directorie at the root of the pulledpork master folder, You will maybe needing to put your oinkcode after all -h set up option in pulledpork files Pulledpork conf files need just you add the oinkcode instead <oinkcode> If you want you uncomment rules which a sharp in front of the rules files pulledpork conf If you have error which pulledpork Perl It is as I advice : You put the oinkcode in front of "-h" Settings I Hope you will success my cook, Regards. Dorian Rosse. Télécharger Outlook pour Android From: Snort-users <snort-users-bounces () lists snort org> on behalf of Joel Esler (jesler) via Snort-users <snort-users () lists snort org> Sent: Thursday, July 11, 2019 5:13:17 PM To: Francis Booth Cc: snort-users () lists snort org Subject: Re: [Snort-users] Rate limits on MD5s for snort rules Hello Francis, First, we only publish rules two or three times a week (at most once a day for the community rules), and when we publish more than that, we make an announcement about it. Second, once an hour is plenty sufficient. The rule is if you make more than 7 requests in 5 minutes, you are blocked for a period of time. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com On Jul 11, 2019, at 9:57 AM, Francis Booth via Snort-users <snort-users () lists snort org> wrote: Hello all, Just reaching out as I wasn't sure what the consensus was on how often you could fetch the md5s for snort rules and not fall into the abuse page. I'm aware that downloading of the rules is requested to be once in a given hour but didn't know if that was also the case on MD5s checks as well.
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Rate limits on MD5s for snort rules Francis Booth via Snort-users (Jul 11)
- Re: Rate limits on MD5s for snort rules Joel Esler (jesler) via Snort-users (Jul 11)
- Re: Rate limits on MD5s for snort rules Dorian ROSSE via Snort-users (Jul 12)
- Re: Rate limits on MD5s for snort rules Francis Booth via Snort-users (Jul 12)
- Re: Rate limits on MD5s for snort rules Dorian ROSSE via Snort-users (Jul 12)
- Re: Rate limits on MD5s for snort rules Joel Esler (jesler) via Snort-users (Jul 12)
- Re: Rate limits on MD5s for snort rules Francis Booth via Snort-users (Jul 13)
- Re: Rate limits on MD5s for snort rules Joel Esler (jesler) via Snort-users (Jul 13)
- Re: Rate limits on MD5s for snort rules Dorian ROSSE via Snort-users (Jul 12)
- Re: Rate limits on MD5s for snort rules Joel Esler (jesler) via Snort-users (Jul 11)