Re: Ideal way to update the rules

[Y M <snort () outlook com>]

Did you try the -k option? Does it achieve what you are after?
Another option (which I haven't tried) is while you still use -T, may be pcre-add gid:3 into the enablesid.conf file? 
This may work.
YM

From: anshuman () cybage com
To: Shawn.Jefferson () bcferries com; snort-users () lists sourceforge net
Date: Wed, 30 Jul 2014 18:08:56 +0000
Subject: Re: [Snort-users] Ideal way to update the rules









Got it. But I see that in pulledpork 0.70 configuration file (pulledpork.conf) it says “##### Deprecated - The stubs 
are now  categorically written to the  single rule file!”. So does it mean that using pulledpork
 version 0.70 I would not be able to dump the so_rules in a separate file the way you are able to do it using 0.60? If 
so, then what is the solution for me if I am on  pulledpork version 0.70?
 
Regards,
Anshuman
 


From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]


Sent: Wednesday, July 30, 2014 10:06 PM

To: Anshuman Anil Deshmukh; 'snort-users () lists sourceforge net'

Subject: RE: [Snort-users] Ideal way to update the rules


 
Hmmm, pulledpork works fine for me (I’m on 0.60 though).  I have my so_rules.rules file listed in the local files:
 
local_rules=/etc/snort/rules/local.rules,/etc/snort/rules/so_rules.rules
 
So it builds the sid-msg.map properly.
 
And then, my sostub_path:
 
sostub_path=/etc/snort/rules/so_rules.rules
 
I run pulledpork twice a day with the –T parameter, and once a week as part of a script that updates the SO rules and 
bounces the snort process.
 
 
 
 
 


From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com]


Sent: July 30, 2014 12:56 AM

To: 'snort-users () lists sourceforge net'

Subject: Re: [Snort-users] Ideal way to update the rules


 
Can anybody please tell us how could we just process the text based rules without disabling the existing shared object 
rules?
 
 
Regards,
Anshuman
 


From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com]


Sent: Tuesday, July 29, 2014 1:22 PM

To: snort-users () lists sourceforge net

Subject: Re: [Snort-users] Ideal way to update the rules


 
Thank you. 
 
Currently if the –T switch is used then it only processes the text based rules but it also disables all the existing 
shared object rules.

 
Can anybody tell us how could we just process the text based rules on daily basis using a cron job without disabling 
the existing shared object rules? We will update the shared object rules say once or twice
 a week by completely stopping the snort process till we are on pf_ring.
 
Regards,
Anshuman
 


From: Livio Ricciulli [mailto:livio () metaflows com]


Sent: Tuesday, July 29, 2014 1:26 AM

To: snort-users () lists sourceforge net

Subject: Re: [Snort-users] Ideal way to update the rules


 

This might be a bit of a project but the way we handle rule updating without service interruption is to exploit a nice 
side-effect of pf_ring.

pf_ring distributes packets to multiple snort processes to execute in parallel; when one of the processes dies the 
others pickup the slack almost instantly.

When it is added back it gets its portion of the traffic again. So, we kill one process at a time every few seconds 
updating all processes without ever losing service.


There will be some loss in session states but it is a lot better than no service.. Getting pf_ring inline to work can 
be tricky, but once it does, your get the added benefit


of higher performance also. 



Let me know if you need more information on that.



I hope this helps,



Livio.

On 07/28/2014 10:18 AM, Anshuman Anil Deshmukh wrote:


Hi,
 
I have a couple of questions regarding updating the rules automatically and then sending a HUP signal to barnyard and 
Snort after every time we update the rules.
 
We intend to use so rules. I understand that the HUP signal cannot be sent when downloading and processing the so 
rules, then the only option left is to stop Barnyard  & Snort completely. In our case we would be having snort working 
as
 inline and hence don’t recommend reinitializing the snort completely as it would break the network connection (our DAQ 
is AFPACKET)
 
Questions:
1.      
How regularly are so_rules released and how should they updated (daily/weekly/any other option)?

2.      
How could one keep the so rules as well text based rules updated with pulledpork? Do we need to have different 
schedules for updating so_rules and text based rules? If yes, is it like we need to have separate configuration files 
one
 for text based rules and and other for so_rules ?
 
We are using Snort version 2.9.6.1 and pulledpork version 0.70
 
 
Regards,
Anshuman


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from
 disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, 
copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic 
message in error please
 notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every 
reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may 
sustain as a result of any malicious
 content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment."
www.cybage.com
 
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
 
Please visit http://blog.snort.org to stay current on all the latest Snort news!

 


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from
 disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, 
copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic 
message in error please
 notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every 
reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may 
sustain as a result of any malicious
 content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment."
www.cybage.com


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from
 disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, 
copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic 
message in error please
 notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every 
reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may 
sustain as a result of any malicious
 content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment."
www.cybage.com

 "Legal Disclaimer: This 



electronic message and all contents contain information from Cybage Software Private 



Limited which may be privileged, confidential, or otherwise protected from disclosure. 



The information is intended to be for the addressee(s) only. If you are not an 



addressee, any disclosure, copy, distribution, or use of the contents of this message 



is strictly prohibited. If you have received this electronic message in error please 



notify the sender by reply e-mail to and destroy the original message and all copies. 



Cybage has taken every reasonable precaution to minimize the risk of malicious content 



in the mail, but is not liable for any damage you may sustain as a result of any 



malicious content in this e-mail. You should carry out your own malicious content 



checks before opening the e-mail or attachment." 

www.cybage.com




------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!