Home page logo
/

snort logo Snort mailing list archives

Re: rules update schedule (was: Re: so_rule problem)
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Fri, 1 Oct 2010 14:04:00 -0400

On Fri, 01 Oct 2010 13:35:59 -0400, waldo kitty wrote:
On 10/1/2010 13:14, Nigel Houghton wrote:
On Fri, 01 Oct 2010 12:37:14 -0400, waldo kitty wrote:
i had similar discussion to this some time back in another venue and
at that time the question was does VRT update the "registered" rules
snapshot every day so that there's a "rolling release" or do they
simply wait and do one release every 30 days... AIR, no one ever
answered that question or provided a pointer to where it might be
answered...

Didn't see that question, but to answer it. The roll over is automatic.

yeah, i think it was before i joined the SF lists so you're off the hook :P

i guess what i'm really trying to dig out is the answers to the following 
questions...

1. are rules released daily or are they held and released in batches 
once a week 
or month?

The schedule is roughly twice a week (Tuesday's and Thursday's). That 
can change though, sometimes more often, sometimes once a week. We'll 
always try to get something out for 0day stuff immediately though.

Remember, we do rigorous testing on rules, the regression suite goes 
through millions of tests and if something fails horribly, it can delay 
releases. We were thinking of introducing numbering for the rule pack 
releases (like we have for the Sourcefire 3D releases) but that might 
create more confusion as folks would see missing numbers as certain 
builds don't make it into release. We figure finding rule packs by date 
is easy enough anyway, the only time that gets confusing is in the rare 
occurrence where two or more rule releases are issued on the same day. 
Which has happened on some occasions.
 
2. can you list possible reasons why an initial update connection may 
be 403'd 
and the 15 minute delay initiated?

Don't know. Try contacting snort-site () sourcefire com for answers to 
those questions. We do not control the backend (or frontend) systems.

3. is it possible that even after waiting out the 15 minute delay 
that one might 
be 403'd again?

Don't know. Try contacting snort-site () sourcefire com for answers to 
those questions. We do not control the backend (or frontend) systems.

4. will we see the return of the reason for the 403 and the try again in X 
minutes in the 403 messages or will they remain plain jane 403's with no 
information that can be passed back to the user via message or logs?

Don't know. Try contacting snort-site () sourcefire com for answers to 
those questions. We do not control the backend (or frontend) systems.

the answers could greatly help with eliminating unnecessary updating 
schedules 
and traffic...

I think if you work on the assumption that rules will get updated on 
Tuesday's and Thursday's you'll be good to go. Of course, everything 
that you do automatically should have the option to run manually should 
it be necessary. Keep an eye on the snort-sigs list or the blog or 
snort.org (there's an RSS feed for rule release info at 
http://www.snort.org/vrt/advisories.xml) to see if you should manually 
update for something that falls outside the normal schedule.

thanks for your time and attention in this! ;)

Yep.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault