Snort mailing list archives
Re: When Upgrading Breaks Auto Rule Management
From: "Merida, Dylan" <Dylan.Merida () EKU EDU>
Date: Thu, 28 Apr 2011 14:20:50 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can actually change your version to "edge" and this will ensure you're always getting the newest rules, but this causes other problems. For instance, so rules appear to stop functioning after making any chance or enabling the version variable. PulledPork wont let you set the edge tar with the rules_url variable in the config; it always overwrites it with the automatic version check, so this is more of a problem with PulledPork. rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot-edge.tar.gz|<oinkcode> Seems to always use the snapshot tar with a version number instead, so you have to change the version variable on down in the config. Again, this appears to break so rules though. Dylan Merida Security Analyst Information Technology Eastern Kentucky University On Apr 28, 2011, at 2:13 PM, Jason Wallace wrote:
Isn't this what "snortrules-snapshot-edge.tar.gz" is suppose to handle? I thought "edge" would give you the most recent version of the rules you have access to and it would automatically determined registered user vs. subscription user based on the oink code you give it? rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot-edge.tar.gz|<oinkcode> thx, Wally On Thu, Apr 28, 2011 at 2:00 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:On 4/28/2011 4:47 PM, Joel Esler wrote:On Thu, 2011-04-28 at 16:10 +0000, Eoin Miller wrote:Then it occurred to me, go to the site and check if 2.9.0.5 rules are available yet for registered users and after reviewing that site and the SourceFire blog, it was clear that 30 days have not passed yet. Is it possible to get some kind of place holder to pull down the 2.9.0.4 version of the rules until the 2.9.0.5 rules are available? Otherwise if users roll out a new sensor within the first 30 days of a new Snort version being released, their VRT auto rule updating will break until the 30 days has expired.Eoin, Maybe I am not understanding what you are asking here, but if you change 2905 to 2904 in pulledpork, it'll grab the 2904 rules. Is that what you are asking? JoelYes, if you specify the version 2.9.0.4 in the pulled pork conf file when you are actually running 2.9.0.5 to make it work. But then after the 30 day lag has expired, you have to remember to go back in and comment that line out of the conf file so you start pulling 2.9.0.5 rules for your 2.9.0.5 instance because if you don't there will be a time when 2.9.0.4 is gone from the supported rule list when 2.9.0.5 is still supported. Its an annoyance that requires good knowledge of the 30 day lag, when your snort version was released because otherwise users will be thinking their oinkcode does not work etc etc. If there is no 2.9.0.5 available for a user because they are reg vers subscription, then if the request for 2.9.0.5 could return the 2.9.0.4 version. Or actually releasing 2.9.0.5 registered user rules to correspond with a 2.9.0.5 release on the same day would probably be a good idea. Otherwise people have to deal with this type of gotcha for the 30 day lag period. -- Eoin ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJNubAIAAoJEJZGFwhgpNqABuYP/jiZ+k8UcGNTHAR3vv85qbf0 1ogJfbtAZmPaSTs0IYSM4vMXXDn2J2qsu52SyBDqgFT/P4PnqjuA+kgHwb8Kfinj fpv9JZj/5EE75js6FhIQP9XaY6pL29neIVocEmUsYNKAC0NKYPnSEyceyOwVof3b YMl7FkisCu62X3oe9vpjbiB8Q1qVHeK4HI31VJzKYnGb5BEdm+ic1pjZOu1RC6SJ UxEn7UArtsSkPZNUx6M+IqV1PBbkfccOKbdGmrZ+wTJp73q0+CacLmOtacasEYst wEKU4cN5702R0IGj/+VW1ufY22DprYhmz3Gesi3E6UVl+HeojgbI4tPwWBUbNjzD 58E3+/fQL0FnzuYVkym7ICmAcGs3yp0Y0V17xF47nDn9B+/Kp8aQ64BRQKH7PiF7 b2ZVKLkq64+BGnTaoMIXDoFD6mxXyPgfrHzj/r4Qf+44NUG8G+0qNXRoW01Zp2yl OiQmlQU4bvVF3yPDE5ejvVpg4Jw5+iqaezAcyrQE8Vsf4jU0MgLsJShBesNYOTgB PDVlBeJjPhSkFYlOwc47kxkv3ToFNQNlSKJLMihDcAZcwQNvysTTYTSjaZrXwe7C LaEXGTU46MoI00y3VCPREpi0CJVKsbeeZfnjZSbJd1WDW2GczIJ6js8l2g5JACh+ mkgFmfw7uS6YuLJMVBDE =JzGo -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- When Upgrading Breaks Auto Rule Management Eoin Miller (Apr 28)
- Re: When Upgrading Breaks Auto Rule Management Joel Esler (Apr 28)
- Re: When Upgrading Breaks Auto Rule Management Eoin Miller (Apr 28)
- Re: When Upgrading Breaks Auto Rule Management Jason Wallace (Apr 28)
- Re: When Upgrading Breaks Auto Rule Management Merida, Dylan (Apr 28)
- Re: When Upgrading Breaks Auto Rule Management Eoin Miller (Apr 28)
- Re: When Upgrading Breaks Auto Rule Management Eoin Miller (Apr 28)
- Re: When Upgrading Breaks Auto Rule Management Joel Esler (Apr 28)
- Re: When Upgrading Breaks Auto Rule Management waldo kitty (Apr 28)