Snort mailing list archives

Re: rules downloads and

From: SN ORT <snort_on_acid () yahoo com>
Date: Tue, 19 Sep 2006 06:29:55 -0700 (PDT)

I tell ya personally I wouldn't be relying on anything
too heavily when it involves FREE software/services. I
would always expect the worse to happen and be
prepared for it. Snort can drop the product at the
drop of a hat and wouldn't be any worse off for it. I
bet they've been planning for years as to how they're
going to do just that. So far, it looks like a very
slow and gradual move from free software to paid. 

I leave the real protections of our networks to 
devices and services we pay for.

Cheese!

Marc


----------------------------------------------------------------------


Message: 1
Date: Mon, 18 Sep 2006 12:52:33 -0500
From: Paul Schmehl <pauls () utdallas edu>
Subject: Re: [Snort-users] rules downloads and
scalability
To: Eric Hines <eric.hines () appliedwatch com>
Cc: Jason Haar <Jason.Haar () trimble co nz>,
      snort-users () lists sourceforge net,   Martin Roesch
      <roesch () sourcefire com>
Message-ID:
<C29E3E0168E8D970C0E6E5BA () utd59514 utdallas edu>
Content-Type: text/plain; charset="us-ascii"

--On Monday, September 18, 2006 11:06:09 -0500 Eric
Hines 
<eric.hines () appliedwatch com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I suppose Sourcefire's thinking is, which I think

makes sense, say you

download new rules at 9am and a new worm or pretty

nasty exploit

surfaces at noon. Then, new Snort signatures are

released at 3:00pm. If

it were limited to once a day, you wouldn't be

able to grab those rules

until 12:01am the next day :/

But then again, you wouldn't be able to get them

that quickly unless you

were a VRT paid subscriber.. so that doesn't make

sense.. :/ hmm..  I

can't answer that one..

:-)

Ok, here's another idea :) You have several Snort

management solutions,

each with its own method of managing Snort rules

(we've got several

customers like this) where you use your oink code

to download rules for

Snort management solution A and then you need to

do the same for Snort

management solution B. You can't download rules

for B until the next

day, so B will always be 1 day behind.


Here's a thought.  How about managing your own stuff
instead of expecting 
the vendor to do it for you?

Write a script that checks for new rules and
downloads them if it finds 
them.  Make sure the site is only accessible inside
your own network.  (No 
sense in violating the rules and losing your rights
to downloading the 
rules.)  Cron it for once a day, every six hours,
whatever floats your 
boat.  Then point *all* your oinkmaster installs to
the *local* site where 
the downloaded rules exist.  Or use one oinkmaster
install to download the 
file and then point all the other oinkmaster
installs to *that* file.  Then 
cron it as you like.

Problem solved.

That about does it for me :) I suppose the answer

to your question is,

why not? Why tie people's hands more than you

actually need to.. if

every 15 minutes addresses the issue for

Sourcefire, why do it longer

like 24 hours?


I guess my answer would be why let the vendor manage
your installation for 
you as opposed to actively taking care of your own
stuff in a way that 
works best for *you*?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 4085 bytes
Desc: not available
Url :

http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060918/ea41e7d6/attachment.bin



------------------------------

-------------------------------------------------------------------------

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get
the chance to share your
opinions on IT & business topics through brief
surveys -- and earn cash

http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV


------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-users



End of Snort-users Digest, Vol 4, Issue 24
******************************************



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: rules downloads and SN ORT (Sep 19)
- Re: rules downloads and Paul Schmehl (Sep 19)
  - Re: rules downloads and Jason (Sep 19)
  - A complication with an unconventional use of Snort bahdko (Sep 19)
    - Re: A complication with an unconventional use of Snort Leon Ward (Sep 19)