Friday, January 6, 2017

Are you abusing Snort.org?

For those of the Snort community that remember the version of Snort.org prior (4.0) to the current one (5.0), you will remember that we only allowed users to download the ruleset once every fifteen minutes.  When we rolled out 5.0, we removed this restriction allowing people to download as often as they like.

This decision has caused some problems and people are abusing this system.  We have a select few that are attempting to download the ruleset once a second, hundreds of people several times a minute, and even more, once a minute.

While we are as eager as you are to get the rulesets into the hands of our users, once a second is far too often, and costs us in terms of bandwidth and utilization of the site.  While we could turn up the dial on resources for Snort.org, we don't feel that extra expense and bandwidth is necessary to compensate for the few that are abusing the system.

We don't want a few abusers to ruin the experience for everyone, so we have implemented throttling on a case by case basis.  Only for select oinkcodes and downloaders that we observe abusing the system.    There are two stages to this.


  1. Throttling, making it so you can only download a little bit more reasonably, and blocking you otherwise.
  2. Outright blocking.  You'll know if this is you, as you'll get a message that says "your IP has been blocked" in your 404 message.  We only have a couple IPs in this category right now.  Two of these IPs are responsible for 2.5 Million hits a day.

There are three ways you can end up in "Abuse land".


  • Excessive Downloading  
Attempting to download the ruleset or check for an update to the ruleset, more than 3x in five minutes.  Checking the site once every hour is recommended.  But if you are checking it more than 3 times within five minutes, that's a bit much.

  • Sharing an Oinkcode
While the license prohibits the sharing of an oinkcode and using an oinkcode for unauthorized means (which we are currently planning on fixing this problem as well), occasionally an oinkcode will get posted to a forum or mailing list.  People will then find this posted oinkcode and attempt to use it in their installations.  (We had a rash of this going around about a year ago with one particular oinkcode, and it was so bad, we had over 35M people downloading the ruleset with that one oinkcode every day.)  We'll have to change the oinkcode and throttle the usage of it.

  • Attempting to download a ruleset that doesn't exist
We still have people attempting to download the ruleset for Snort 2.2.0.  (13 years old at this point?)  While we return a 404, maybe if we tell people why they are receiving the 404, they may update?  (Wishful thinking on my part I think)

We have created an Abuse FAQ: https://snort.org/faq/abuse-of-snort-org, which will appear in the message you receive when you are throttled.


One of the good things about Snort.org's system is we only require an email address (soon we'll have to collect a zip code as well for tax purposes, more on that later) to create an account.  While we confirm these email addresses upon signup, adding thousands of new users to Snort.org a day, some people leave their jobs, their email addresses expire, mailboxes fill up, etc.  So despite our best efforts to contact these abusers they aren't adjusting their crontabs.  We sometimes receive a bounce from the email we send them or we receive no response at all.  We will no longer be contacting people on a case-by-case basis we're just going to start throttling you.

Please feel free to leave a comment here, or on the Snort-users mailing list if there are any questions.

7 comments:

  1. I am trying to grasp why there would be per second downloads. This makes no sense at all, as it not only wastes your bandwidth, but the bandwidth and CPU time on the system downloading the file as well.....

    ReplyDelete
    Replies
    1. When you figure it out, please let us know.

      Delete
  2. Are blocks permanent? No information anywhere. I was blocked setting up pfsense because I was updating each ruleset one at a time both for Snort and Suricata. Also default settings had them both updating with 2 minutes of each other.

    ReplyDelete
    Replies
    1. The automatic blocks are not permanent. They will be lifted after 10 minutes. If you are consistently and constantly blocked, then we are seeing a check from your IP MUCH more often than the default. Are you blocked?

      Delete
    2. I was blocked earlier, but it's working now. I will correct my newbie mistakes. Thank you very much Joel.

      Delete
  3. snort:error while loading shared libraries :libsfbpf.so.0 can not open shared libraries .. occured during start of snort , can anybody help me how can i solve it .

    ReplyDelete