Snort mailing list archives
Re: Snort 2.0 rc1 Observations
From: Erek Adams <erek () snort org>
Date: Fri, 28 Mar 2003 11:17:22 -0500 (EST)
On Fri, 28 Mar 2003, Kenneth G. Arnold wrote:
Do the rules for 2.0 rc1 correspond to snortrules-current.tar.gz (Works for HEAD branch of CVS) on the snort site for future updating?
Not quite. rc1 is from CVS HEAD, but -current is generated nightly. rc1 was generated two-three days ago... You may use those rules with no issues, but... Keep in mind the standard 'using bleeding edge CVS you may get cut' rule.
I can understand how the wrong rules would explain the first two situations. Have the rules for writing passes to rules changed in this version? Have the command line options changed for making the passes to be processed before the alerts?
Nope. I don't think that's it. -o still works fine on my test setup. Which is why I think it's something else... From your first email: 3. Once I did get Snort to start, I noticed that a lot of the rules that had pass rules for specific circumstances were starting to fire where they did not in version 1.9.1. I'm going to guess you have pass rules that are using quite a few rule options inside of each pass rule. You may be using options that changed from 1.9.x to 2.0. Maybe some of these rules need some tweaking to be used with 2.0 due to options changing. Would you care to share a sanitized example or two? You may also want to look at the Changelog. Tons of minor changes that aren't listed in the release blurb are sprinkled in there. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.0 rc1 available Martin Roesch (Mar 26)
- Re: Snort 2.0 rc1 available Rob Hughes (Mar 26)
- Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
- Re: Snort 2.0 rc1 available Andrew R. Baker (Mar 27)
- Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
- Re: Snort 2.0 rc1 available Master Brian (Mar 27)
- Re: Snort 2.0 rc1 available Bennett Todd (Mar 27)
- Snort 2.0 rc1 performances jeremy chartier (Mar 28)
- Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
- Re: Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
- Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Chris Green (Mar 31)
- Snort 2.0 rc1 pass solved / now mysql problem Kenneth G. Arnold (Mar 31)
- Re: Snort 2.0 rc1 available Rob Hughes (Mar 26)
- Re: snort decoder Chris Green (Mar 28)
- <Possible follow-ups>
- RE: Snort 2.0 rc1 available Slighter, Tim (Mar 27)
- Re: Snort 2.0 rc1 available Chris Green (Mar 31)