Snort mailing list archives
Re: rules downloads and
From: SN ORT <snort_on_acid () yahoo com>
Date: Tue, 19 Sep 2006 06:29:55 -0700 (PDT)
I tell ya personally I wouldn't be relying on anything too heavily when it involves FREE software/services. I would always expect the worse to happen and be prepared for it. Snort can drop the product at the drop of a hat and wouldn't be any worse off for it. I bet they've been planning for years as to how they're going to do just that. So far, it looks like a very slow and gradual move from free software to paid. I leave the real protections of our networks to devices and services we pay for. Cheese! Marc ----------------------------------------------------------------------
Message: 1 Date: Mon, 18 Sep 2006 12:52:33 -0500 From: Paul Schmehl <pauls () utdallas edu> Subject: Re: [Snort-users] rules downloads and scalability To: Eric Hines <eric.hines () appliedwatch com> Cc: Jason Haar <Jason.Haar () trimble co nz>, snort-users () lists sourceforge net, Martin Roesch <roesch () sourcefire com> Message-ID: <C29E3E0168E8D970C0E6E5BA () utd59514 utdallas edu> Content-Type: text/plain; charset="us-ascii" --On Monday, September 18, 2006 11:06:09 -0500 Eric Hines <eric.hines () appliedwatch com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I suppose Sourcefire's thinking is, which I thinkmakes sense, say youdownload new rules at 9am and a new worm or prettynasty exploitsurfaces at noon. Then, new Snort signatures arereleased at 3:00pm. Ifit were limited to once a day, you wouldn't beable to grab those rulesuntil 12:01am the next day :/ But then again, you wouldn't be able to get themthat quickly unless youwere a VRT paid subscriber.. so that doesn't makesense.. :/ hmm.. Ican't answer that one..:-)Ok, here's another idea :) You have several Snortmanagement solutions,each with its own method of managing Snort rules(we've got severalcustomers like this) where you use your oink codeto download rules forSnort management solution A and then you need todo the same for Snortmanagement solution B. You can't download rulesfor B until the nextday, so B will always be 1 day behind.Here's a thought. How about managing your own stuff instead of expecting the vendor to do it for you? Write a script that checks for new rules and downloads them if it finds them. Make sure the site is only accessible inside your own network. (No sense in violating the rules and losing your rights to downloading the rules.) Cron it for once a day, every six hours, whatever floats your boat. Then point *all* your oinkmaster installs to the *local* site where the downloaded rules exist. Or use one oinkmaster install to download the file and then point all the other oinkmaster installs to *that* file. Then cron it as you like. Problem solved.That about does it for me :) I suppose the answerto your question is,why not? Why tie people's hands more than youactually need to.. ifevery 15 minutes addresses the issue forSourcefire, why do it longerlike 24 hours?I guess my answer would be why let the vendor manage your installation for you as opposed to actively taking care of your own stuff in a way that works best for *you*? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 4085 bytes Desc: not available Url :
http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060918/ea41e7d6/attachment.bin
------------------------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest, Vol 4, Issue 24 ******************************************
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: rules downloads and SN ORT (Sep 19)
- Re: rules downloads and Paul Schmehl (Sep 19)
- Re: rules downloads and Jason (Sep 19)
- A complication with an unconventional use of Snort bahdko (Sep 19)
- Re: A complication with an unconventional use of Snort Leon Ward (Sep 19)
- Re: rules downloads and Paul Schmehl (Sep 19)