Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Rules Downloads and Scalability

from [Mike Guiterman] Network Security [Permanent Link]
Subject: [Snort-users] Rules Downloads and Scalability
Date: Mon, 18 Sep 2006 10:28:57 -0400 
Hi everyone,


In order to prevent excess resource consumption Sourcefire announced a new
download policy in August.  Each file may be downloaded once in 15 minutes.

As rule updates are not released on a daily basis, the 15 minute policy
should not impact anyone's ability to maintain up to date coverage.

Subscribers for VRT rules updates are currently exempt from this policy.

Thanks to Jason for suggesting an alternative for managing the resource
issue. The Snort Team is always thankful for feedback.

If you have questions on the policy or have other feedback please don't
hesitate to contact us at snort-site@sourcefire.com.


Keep Snorting!

Mike Guiterman
Snort Community Manager
Sourcefire, Inc.







 





-------- Original Message --------
Subject: Re: [Snort-users] rules downloads and scalability
Date: Sun, 17 Sep 2006 21:59:27 -0500
From: Eric Hines <eric.hines@appliedwatch.com>
To: Jason Haar <Jason.Haar@trimble.co.nz>
CC: snort-users@lists.sourceforge.net
References: <450E05B0.5020002@trimble.co.nz>

Jason,

Its not limiting specific to Oinkmaster. Applied Watch began seeing this
a few weeks ago through regular rule downloads with our Command Center
using specific Oink Code. Sourcefire seems to be limiting user-specific
Oink Code to download rules only once a day.

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 221
Crystal Lake, IL 60014
Tel: (877) 262-7593
Web: http://www.appliedwatch.com

Jason Haar wrote:

I notice the "www.snort.org/pub-bin/oinkmaster.cgi" script has some form
of download limiting component (to stop people like me repeatably
downloading the same live data while editing/updating local scripts - ahem).

Anyway, such scaling issues happen. I'd like to suggest that Sourcefire
look to ClamAV to see how they handled people hammering their servers
looking for updates that didn't exist (i.e. they were already up to
date). Their rules basically have a serial number and they put that into
a DNS record, and then their freshclam update daemon looks to that DNS
record before deciding to actually do a HTTP connection to download an
update. Than plus some time-of-day randomization and load sharing should
go a loooong way on the scalability side...

Just an idea.

  




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] OT: Opensource NSM, carlopmart
Next by Date:  Re: [Snort-users] rules downloads and scalability, Martin Roesch
Previous by Thread:  Re: [Snort-users] rules downloads and scalability, Bristol, Gary L.
Next by Thread:  [Snort-users] what is the difference in memory models (search-method lowmem) mean?, Jason Haar
Indexes:  [Date] [Thread] [Top] [All Lists]