RE: Snort Rule Downloading - Working now! (NOT!!!) (update use -CURRENT for 2.1.2)

["McCash, John" <John.McCash () andrew com>]

Brian (Vogle),
        The email Brian Casewell sent me was in response to a direct email inquiry on my part. I'm not sure he's been 
following snort-users recently. In any case, I'll copy him on this note and, for the record, here's a copy of the email 
he sent me:

On Tue, May 04, 2004 at 09:39:20AM -0500, McCash, John wrote:
> I posted this to snort-users and snort-rules, but just in case
> you're behind on that... It appears that the rules in the download
> area for snort 2.1.x and 2.0.x are not being properly updated.
> We're seeing updates to the .map files, but the .rules files aren't
> changing. In particular the new LSASS exploit detection rules don't
> appear to have shown up there. (I am making the assumption that such
> rules exist for 2.1.x. The rules are referenced in the .map files,
> they just don't appear in the .rules...) They are showing up in the
> -CURRENT tarball, however.

They are not being updated on purpose.  The features required for
the LSASS are not available for 2.1.0.  You need 2.1.2 for that.

If you are using 2.1.2 or 2.1.3rc1, you can use CURRENT rules without
issue.

Brian

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Vogle,
Brian
Sent: Tuesday, May 04, 2004 12:52 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Rule Downloading - Working now!
(NOT!!!) (update use -CURRENT for 2.1.2)


Can we get an official confirmation on this?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of McCash,
John
Sent: Tuesday, May 04, 2004 12:18 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Rule Downloading - Working now!
(NOT!!!) (update use -CURRENT for 2.1.2)


Guys,
        I now have to stand corrected. It seems (according to email I
received from Brian Casewell) that the updates that I was looking
(LSASS, etc) for don't work on 2.1.0 and before, and if you're running
2.1.2 or above, you're supposed to use the -CURRENT updates. It'd be
nice if the download page said that rather than to use the -2_1 rules
for 2.1.*.
                John


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id149&alloc_id66&op,ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listzort-users

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users