Snort mailing list archives
Re: Ubuntu 11.04 / 10 rulesset
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 31 Oct 2011 12:12:50 -0400
On Oct 31, 2011, at 11:44 AM, Mike Lococo wrote:
On 10/31/2011 09:42 AM, Marcin Nawrocki wrote:Do I have to compile / create my own snort rules for the recent versions of ubuntu or can I use the delivered rules for the LTS-version? If I have to do it by myself, how to do this manually?I recently filed an Ubuntu bug regarding exactly this issue: https://bugs.launchpad.net/ubuntu/+source/snort/+bug/872582 In short, the version of Snort provided with Ubuntu is no longer supported by Sourcefire and will not run recent VRT rules. There is nothing you can do to make it do so. You can run whatever is in the snort-rules package, but I don't believe that the sigs in that package can't have been updated for at least a year. It's more likely that those are the sigs that were released with 2.8.5.2 in December of 2009, and consequently would be missing detection for any threat that has evolved or emerged since then (aka, almost everything that matters).
Actually, more incorrectly, the rules distributed WITH ubuntu are the GPL'ed ones. SID 3464 and below. So, very old.
As an alternate, you can custom install pulledpork and use it to download the Emerging-Threats Open ruleset which does still support the 2.8.5.x series. That's a quality ruleset in my opinion and you could do worse than to use it, but you can't run the VRT rules.
You can run the VRT rules, but we are adding keywords all the time that will break compatibility, and 2.8.5.2 can't use any of the newer features of the ruleset. There's a reason we update Snort and add better detection and magical keywords like "file_data". I really which ET would stop "supporting" that far back. It's like enabling a drug addict to not quit. It hurts more than helps.
Another alternative is installing current snort from Source, which is what most serious Snort users do. There are guides out there on how to do so, but it is many many times more work than apt-get install.
Yes! That. ------------------------------------------------------------------------------ Get your Android app more play: Bring it to the BlackBerry PlayBook in minutes. BlackBerry App World™ now supports Android™ Apps for the BlackBerry® PlayBook™. Discover just how easy and simple it is! http://p.sf.net/sfu/android-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Ubuntu 11.04 / 10 rulesset Marcin Nawrocki (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Mike Lococo (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Joel Esler (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Nick Moore (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Mike Lococo (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Joel Esler (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Joel Esler (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Randal T. Rioux (Nov 01)
- Re: Ubuntu 11.04 / 10 rulesset Joel Esler (Nov 01)
- Re: Ubuntu 11.04 / 10 rulesset Mike Lococo (Oct 31)