Friday, January 6, 2017

Are you abusing

For those of the Snort community that remember the version of prior (4.0) to the current one (5.0), you will remember that we only allowed users to download the ruleset once every fifteen minutes.  When we rolled out 5.0, we removed this restriction allowing people to download as often as they like.

This decision has caused some problems and people are abusing this system.  We have a select few that are attempting to download the ruleset once a second, hundreds of people several times a minute, and even more, once a minute.

While we are as eager as you are to get the rulesets into the hands of our users, once a second is far too often, and costs us in terms of bandwidth and utilization of the site.  While we could turn up the dial on resources for, we don't feel that extra expense and bandwidth is necessary to compensate for the few that are abusing the system.

We don't want a few abusers to ruin the experience for everyone, so we have implemented throttling on a case by case basis.  Only for select oinkcodes and downloaders that we observe abusing the system.    There are two stages to this.

  1. Throttling, making it so you can only download a little bit more reasonably, and blocking you otherwise.
  2. Outright blocking.  You'll know if this is you, as you'll get a message that says "your IP has been blocked" in your 404 message.  We only have a couple IPs in this category right now.  Two of these IPs are responsible for 2.5 Million hits a day.

There are three ways you can end up in "Abuse land".

  • Excessive Downloading  
Attempting to download the ruleset or check for an update to the ruleset, more than 3x in five minutes.  Checking the site once every hour is recommended.  But if you are checking it more than 3 times within five minutes, that's a bit much.

  • Sharing an Oinkcode
While the license prohibits the sharing of an oinkcode and using an oinkcode for unauthorized means (which we are currently planning on fixing this problem as well), occasionally an oinkcode will get posted to a forum or mailing list.  People will then find this posted oinkcode and attempt to use it in their installations.  (We had a rash of this going around about a year ago with one particular oinkcode, and it was so bad, we had over 35M people downloading the ruleset with that one oinkcode every day.)  We'll have to change the oinkcode and throttle the usage of it.

  • Attempting to download a ruleset that doesn't exist
We still have people attempting to download the ruleset for Snort 2.2.0.  (13 years old at this point?)  While we return a 404, maybe if we tell people why they are receiving the 404, they may update?  (Wishful thinking on my part I think)

We have created an Abuse FAQ:, which will appear in the message you receive when you are throttled.

One of the good things about's system is we only require an email address (soon we'll have to collect a zip code as well for tax purposes, more on that later) to create an account.  While we confirm these email addresses upon signup, adding thousands of new users to a day, some people leave their jobs, their email addresses expire, mailboxes fill up, etc.  So despite our best efforts to contact these abusers they aren't adjusting their crontabs.  We sometimes receive a bounce from the email we send them or we receive no response at all.  We will no longer be contacting people on a case-by-case basis we're just going to start throttling you.

Please feel free to leave a comment here, or on the Snort-users mailing list if there are any questions.