Snort mailing list archives
Re: Ubuntu 11.04 / 10 rulesset
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 31 Oct 2011 14:46:06 -0400
On Oct 31, 2011, at 2:23 PM, Mike Lococo wrote:
Actually, more incorrectly, the rules distributed WITH ubuntu are theGPL'ed ones. SID 3464 and below. So, very old.That's worse than I thought. That means that Snort as shipped by Ubuntu provides absolutely no protection against any credible threat scenario. The GPL rules are almost universally a throwback to a different time, no real attackers are using any of the techniques those sigs look for today.
It depends. There are some useful rules that still fire in the GPL set. But you are right, in order to be protected you need to have the most updated ruleset and engine.
As an alternate, you can custom install pulledpork and use it to download the Emerging-Threats Open ruleset which does still support the 2.8.5.x series. That's a quality ruleset in my opinion and you could do worse than to use it, but you can't run the VRT rules.You can run the VRT rules, but we are adding keywords all the time that will break compatibility, and 2.8.5.2 can't use any of the newer features...If I recall correctly, it's not just that 2.8.5.2 won't take advantage of the new keywords. It will crash on startup and give you the sid of precisely one rule that uses an incompatible keyword. You'll have to iteratively try running Snort and disabling the offending rule until there are no more rules that use new keywords. How many rules are there that use incompatible keywords? Is it in the hundreds or thousands? With one restart for each to troubleshoot. Plus you'll have to go through the same process for each ruleset update, although the delta each week is probably only a dozen rules or so.
That delta will be increasing. So I wouldn't bet on it. ------------------------------------------------------------------------------ Get your Android app more play: Bring it to the BlackBerry PlayBook in minutes. BlackBerry App World™ now supports Android™ Apps for the BlackBerry® PlayBook™. Discover just how easy and simple it is! http://p.sf.net/sfu/android-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Ubuntu 11.04 / 10 rulesset Marcin Nawrocki (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Mike Lococo (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Joel Esler (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Nick Moore (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Mike Lococo (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Joel Esler (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Joel Esler (Oct 31)
- Re: Ubuntu 11.04 / 10 rulesset Randal T. Rioux (Nov 01)
- Re: Ubuntu 11.04 / 10 rulesset Joel Esler (Nov 01)
- Re: Ubuntu 11.04 / 10 rulesset Mike Lococo (Oct 31)