Re: [Snort-users] rules downloads and scalability
This is a discussion on Re: [Snort-users] rules downloads and scalability within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. --------------070200070007060305010801 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-18-2006
|
|||
|
|||
Re: [Snort-users] rules downloads and scalability
This is a multi-part message in MIME format.
--------------070200070007060305010801 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I do want to add to my comment. I do understand Sourcefire's reasoning for doing this. With the number of times Snort has been downloaded and half that number of people were checking our web site multiple times a day (I hear its as excessive as every 10 mins), I too would have put a mechanism in place to prevent it. Also, I took a closer look at the Sourcefire message for download limiting. It seems to be every 15 minutes. I think if anyone downloads new rules more often than every 15 minutes, something needs to be changed :) - -------------- snip ------------- Next download available at: 2006-09-18 09:33:54 (Currently: 2006-09-18 09:18:55) You don't have permission to access /pub-bin/downloads.cgi/Download/vrt_os/snortrules-snapshot-2.4.tar.gz on this server. - -------------- snap ------------- Best Regards, Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Email: eric.hines@appliedwatch.com Address: 1095 Pingree Road Suite 221 Crystal Lake, IL 60014 Tel: (877) 262-7593 ext:327 Local: (847) 854-5831 Fax: (847) 854-5106 Web: http://www.appliedwatch.com - -------------------------------------------------- Security Management for the Open Source Enterprise Eric Hines wrote: > Jason, > > Its not limiting specific to Oinkmaster. Applied Watch began seeing this > a few weeks ago through regular rule downloads with our Command Center > using specific Oink Code. Sourcefire seems to be limiting user-specific > Oink Code to download rules only once a day. > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > 1095 Pingree Road > Suite 221 > Crystal Lake, IL 60014 > Tel: (877) 262-7593 > Web: http://www.appliedwatch.com > > Jason Haar wrote: >> I notice the "www.snort.org/pub-bin/oinkmaster.cgi" script has some form >> of download limiting component (to stop people like me repeatably >> downloading the same live data while editing/updating local scripts - ahem). >> >> Anyway, such scaling issues happen. I'd like to suggest that Sourcefire >> look to ClamAV to see how they handled people hammering their servers >> looking for updates that didn't exist (i.e. they were already up to >> date). Their rules basically have a serial number and they put that into >> a DNS record, and then their freshclam update daemon looks to that DNS >> record before deciding to actually do a HTTP connection to download an >> update. Than plus some time-of-day randomization and load sharing should >> go a loooong way on the scalability side... >> >> Just an idea. >> >> > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642 > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFDp1u1va6QYTV0EMRAnAhAJ4zWwA9A9cllGydztaCGn xM4pBPDACcDC6E HxZN2OTS2R1ZwYTGXCSWvLM= =h5NC -----END PGP SIGNATURE----- --------------070200070007060305010801 Content-Type: text/x-vcard; charset=utf-8; name="eric.hines.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="eric.hines.vcf" begin:vcard fn:Eric Hines n:Hines;Eric org:Applied Watch Technologies, LLC;Administration adr:Suite 213;;1095 Pingree Road;Crystal Lake;IL;60014;USA email;internet:eric.hines@appliedwatch.com title:CEO, President, Chairman tel;work:(877) 262-7593 ext:327 tel;fax:(847) 854-5106 tel;cell:(847) 456-6785 x-mozilla-html:FALSE url:http://www.appliedwatch.com version:2.1 end:vcard --------------070200070007060305010801 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642 --------------070200070007060305010801 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --------------070200070007060305010801-- 
|
Linear Mode
