Home page logo

snort logo Snort mailing list archives

Rule Migration Cheat Sheet?
From: "Hayes, Bert (ISO)" <bhayes () infosec utexas edu>
Date: Tue, 21 Dec 2010 13:51:40 -0600

My apologies if this has already been covered elsewhere; if it has, I sure
can't find it.

I'm upgrading a non-production system from Debian's Snort 2.7 package to
Snort compiled from source.  This system only uses a handful of
custom rules that I've written myself for post-mortem pcap analysis of
malware, etc.  I'm not using VRT, ET, ET Pro, etc.  Just a few rules dumped
from my brain.

I'm aware that there were some big changes in rule syntax as of 2.8.6 (man,
am I aware) but I can't find a concise, coherent explanation of what the
specific changes are.  I can find tons of links re: how to get new and
improved rules that others have written, but nothing that addresses how to
re-write my own rules.

Anybody got a link?  Can it be posted to the Snort blog (I know it's not
exactly timely, but it could help others).



Bert Hayes, GCIH
Senior Network Security Analyst
University of Texas at Austin
Information Security Office

Attachment: smime.p7s

Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your 
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]