Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Why Multiple Rules Files on Snort...Why? (fixed)

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 20 Aug 2013 17:35:30 -0400
On Aug 20, 2013, at 5:06 PM, Dominick Bakhtiar <dominickfb () gmail com> wrote:


Hi Guys, I am fairly new to using Snort, so sorry in advance...Here's my question...

There are multiple rules files on snort.org that follow this naming convention:


Okay, let me fix your subject then, because the rule files aren’t on Sourceforge.


snortrules-snapshow-29##.tar.gz with the same date. These files look the same to me. What's the reason for multiple?


There is a version of rules that go with the version of Snort you are running that are supported by the EOL policy

Please see it here:
http://www.snort.org/vrt/rules/eol_policy

The plaintext rules are generally the same (they are right now) but sometimes, we’ll introduce a new keyword into the 
Snort language that only some versions (new) of Snort can take advantage of.  For instance, when the file_data keyword 
came out, only new versions of Snort supported it.



It seems some rules are missing from these files. I just updated my rules (backed up my original) but I can't start 
snort now because it is looking for some rules it cannot find (such as community-sql-injection.rules). I don't see 
this file in the updated .gz file.


Those old community rulesets (that come packaged in Ubuntu for some reason) are dead.  The community ruleset now lives 
at:
http://www.snort.org/snort-rules#community

I wish the Ubuntu maintainer would include that instead of the old stuff.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: