Snort mailing list archives
Re: rules update on 2.8
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 21 Dec 2011 11:47:15 -0500
The last ruleset we made for the 2.8.x branch was in November, and as Nick said, it was for 2.8.6.1. We haven't made rules for 2.8.5 in a long time. (years) We've patched bugs and other problems in newer versions of Snort that 2.8.x were vulnerable to and we suggest that you update to the current version of Snort (2.9.2) J On Dec 21, 2011, at 11:28 AM, hermit () outofoptions com wrote:
Nick, The current install is on a production machine that I can't take much risk with, that is why I was wondering if the last rule set for the 2.8 series was compatible with my rpm version. Since the script that pulls doesn't alert on failure I probably have a very old rule set from the looks of it. I'm looking at "Insta-Snorby" at the moment and thinking about spinning that up on a VM as at least an interim measure. The current home grown solution analyses the logs nightly and sends an email of possible events to look at every morning. Seems a tad untimely. Thanks for the input. Hermit Quoting Nick Moore <nmoore () sourcefire com>:Hermit, 1. Your Snort version is out of date - we are currently on version 2.9.2. Snort 2.8.6.1 is still on the web site for registered rule users, but will be aged out in the next couple months. 2. I'd recommend using pulled pork over oinkmaster. There are several guides available on setting it up online. 3. Yum and other package update mechanisms are not the best way to keep Snort up to date. I have found that these frequently lag far enough behind the current version that in some cases, they are using a no longer supported version in their updates. I would instead recommend looking at it manually whenever there is a new Snort release and recompiling. Hope this helps and Happy Snorting! Nick On Wed, Dec 21, 2011 at 8:35 AM, <hermit () outofoptions com> wrote:Long time lurker, I started a new position as systems administrator for a small company and just caught up on 6 months of email sitting around in this folder. The company I currently work for uses snort so I decided to catch up on the email and check the installation. The old sysadmin has a cron set up to pull rules nightly with: http://www.snort.org/pub-bin/oinkmaster.cgi/somegibberishhere/snortrules-snapshot-2.8.tar.gz This fails. [root@tan ~]# rpm -q snort snort-2.8.5-1 Seems to be the latest available. [root@tan ~]# yum update snort Loaded plugins: downloadonly, security Excluding Packages in global exclude list Finished Skipping security plugin, no data Setting up Update Process No Packages marked for Update [root@tan ~]# [root@tan ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.6 (Tikanga) [root@tan ~]# Is it safe to change "snapshot-2.8" to "snortrules-snapshot-2861.tar.gz"? Thanks Hermit ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org www.immunet.com------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- rules update on 2.8 hermit (Dec 21)
- Re: rules update on 2.8 Nick Moore (Dec 21)
- Re: rules update on 2.8 hermit (Dec 21)
- Re: rules update on 2.8 Joel Esler (Dec 21)
- Re: rules update on 2.8 Nick Moore (Dec 21)
- Re: rules update on 2.8 hermit (Dec 21)
- Re: rules update on 2.8 Jason Haar (Dec 22)
- Re: rules update on 2.8 Nick Moore (Dec 21)