Jason,
Its not limiting specific to Oinkmaster. Applied Watch began seeing this
a few weeks ago through regular rule downloads with our Command Center
using specific Oink Code. Sourcefire seems to be limiting user-specific
Oink Code to download rules only once a day.
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 221
Crystal Lake, IL 60014
Tel: (877) 262-7593
Web: http://www.appliedwatch.com
Jason Haar wrote:
I notice the "www.snort.org/pub-bin/oinkmaster.cgi" script has some form
of download limiting component (to stop people like me repeatably
downloading the same live data while editing/updating local scripts - ahem).
Anyway, such scaling issues happen. I'd like to suggest that Sourcefire
look to ClamAV to see how they handled people hammering their servers
looking for updates that didn't exist (i.e. they were already up to
date). Their rules basically have a serial number and they put that into
a DNS record, and then their freshclam update daemon looks to that DNS
record before deciding to actually do a HTTP connection to download an
update. Than plus some time-of-day randomization and load sharing should
go a loooong way on the scalability side...
Just an idea.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
