Monday, June 28, 2010

IMPORTANT Rule Download Change

Today the Snort Web Team made a change to the way that Snort rules are downloaded from snort.org. Hopefully this will result in faster downloads for most people. The changes are highlighted below:

We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name. For the Subscriber and Registered releases of Snort 2.8.6.0 and Snort 2.8.5.3, the download links would look as follows:


Subscriber Release:

http://www.snort.org/sub-rules/snortrules-snapshot-2860.tar.gz/43f45cd452456094ac7e3ae58b12d256fa3d2f23

http://www.snort.org/sub-rules/snortrules-snapshot-2853.tar.gz/43f45cd452456094ac7e3ae58b12d256fa3d2f23


Registered User Release:

http://www.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz/43f45cd452456094ac7e3ae58b12d256fa3d2f23

http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/43f45cd452456094ac7e3ae58b12d256fa3d2f23



Configuring Oinkmaster:

In order to use Oinkmaster to update Snort with VRT rules you must edit oinkmaster.conf.

In the oinkmaster.conf modify "url" to:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here>/<filename>



Important Note:

As noted above, the CURRENT and 2.8 naming conventions have been deprecated as of June 2010 for oinkmaster downloads. You are responsible for updating your oinkmaster.conf file to reflect your installed version of Snort. Continued attempts to download outdated versions will result in being banned. Example for snort 2.8.6.0:


url = http://www.snort.org/pub-bin/oinkmaster.cgi/43f45cd452456094ac7e3ae58b12d256fa3d2f23/snortrules-snapshot-2860.tar.gz



Example for snort 2.8.5.3:


url = http://www.snort.org/pub-bin/oinkmaster.cgi/43f45cd452456094ac7e3ae58b12d256fa3d2f23/snortrules-snapshot-2853.tar.gz


Add to Technorati Favorites Digg! This

2 comments:

JJC said...

Pulledpork 0.4.2 that is in svn has been modified to fully support this new download method as of rev 135. The formal 0.4.2 release will be forthcoming!

JJC said...

As promised, 0.4.2 was released on the 29th... it fully supports the new s3 backend for VRT rulesets, get it here -> http://code.google.com/p/pulledpork/