Snort mailing list archives

Ideal way to update the rules

From: Anshuman Anil Deshmukh <anshuman () cybage com>
Date: Mon, 28 Jul 2014 17:18:53 +0000

Hi,

I have a couple of questions regarding updating the rules automatically and then sending a HUP signal to barnyard and
Snort after every time we update the rules.

We intend to use so rules. I understand that the HUP signal cannot be sent when downloading and processing the so
rules, then the only option left is to stop Barnyard & Snort completely. In our case we would be having snort working
as inline and hence don't recommend reinitializing the snort completely as it would break the network connection (our
DAQ is AFPACKET)

Questions:

1. How regularly are so_rules released and how should they updated (daily/weekly/any other option)?

2. How could one keep the so rules as well text based rules updated with pulledpork? Do we need to have different
schedules for updating so_rules and text based rules? If yes, is it like we need to have separate configuration files
one for text based rules and and other for so_rules ?

We are using Snort version 2.9.6.1 and pulledpork version 0.70

Regards,

Anshuman

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or
attachment."
www.cybage.com

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Ideal way to update the rules Anshuman Anil Deshmukh (Jul 28)
- Re: Ideal way to update the rules Joel Esler (jesler) (Jul 28)
- Re: Ideal way to update the rules Livio Ricciulli (Jul 28)
  - Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 29)
    - Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 30)
    - Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
    - Re: Ideal way to update the rules Anshuman Anil Deshmukh (Jul 30)
    - Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
    - Re: Ideal way to update the rules Shirkdog (Jul 30)
    - Re: Ideal way to update the rules Jefferson, Shawn (Jul 30)
    - Re: Ideal way to update the rules Y M (Jul 31)