Snort mailing list archives

Re: Updating Rules?

From: "Dusty Hall" <halljer () auburn edu>
Date: Thu, 12 Feb 2004 15:59:53 -0600

I guess I'll update as soon as possible...  I think this needs to be changed though:

http://www.snort.org/dl/rules/  reads:

->  If you are using 2.1.*, please use snortrules-snapshot-2_1 rules. <-

Because snortrules-snapshot-2_1 rules.tar.gz BREAKS 2.1.0.  If I was using autoupdate with Oinkmaster and used that 
info I would have had problems due to the flowbits addition.  Luckily I manually update my rules using Oinkmaster and 
inspect the results :).


-Dusty

Andreas Östling <andreaso () it su se> 2/12/2004 3:39:33 PM >>>


On Thu, 12 Feb 2004, Dusty Hall wrote:

Which should I use for 2.1.0?   Is 2.1.1 RC1 the "currently "shipping"
snort"?  Should I update?


Because of the alert mixup bug in Snort 2.1.0, I think it should be 
avoided. Snort 2.1.1 RC1 works fine from what I can tell, so I think you 
should use 2.1.1 RC1 and the 2_1 rules (or 2.0.6 and the 2_0 rules until 
2.1.1 is released). Another reason to avoid 2.1.0 is that it doesn't have 
the flowbits feature which the 2_1 rules currently requires (which I guess 
they really shouldn't, but that's a known issue that has already been 
mentioned on the lists, and it doesn't really matter as 2.1.1 RC1 is the 
way to go anyway).

Thank goodness I don't use oinkmaster to autoupdate...


Can you please explain what you mean by this?
Autoupdate is of course always a risk, especially if you for some 
mysterious reason do it without using snort -T on the new rules before 
loading them. I haven't had any problems with Oinkmaster or the update 
process.

Btw, for those who actually use Oinkmaster and Snort 2.1.1 and want to use 
the 2_1 rules, a simple workaround to disable all the 'flowbits' rules
(temporary, until you use a Snort that can handle them) can be (assuming 
Oinkmaster >= 0.9):

modifysid * "(.*\bflowbits:.*)" | "#$1"

Or simply "disablesid 2192,2350,2348,2349,2352", or use some modifysid 
statement or sed command or whatever to remove only the 'flowbits' parts 
if that is what you want.

/Andreas



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Updating Rules? Dusty Hall (Feb 12)
- Re: Updating Rules? Andreas Östling (Feb 12)
- <Possible follow-ups>
- RE: Updating Rules? Vines Scott D 2d Lt AFFTC/IT (Feb 12)
  - Re: Updating Rules? Andy Richter (Feb 12)
  - RE: Updating Rules? Paul Schmehl (Feb 12)
    - RE: Updating Rules? AJ Butcher, Information Systems and Computing (Mar 25)
- RE: Updating Rules? John Creegan (Feb 12)
- Re: Updating Rules? Dusty Hall (Feb 12)
  - Re: Updating Rules? Paul Schmehl (Feb 12)