Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort rules touble.

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Fri, 21 Jun 2002 13:14:26 -0600
If Jason is going to go with his intended build of 1.86 and would ultimately
have to comment out anything using "flow", if he needs to stay with that
build, then he might want to consider downloading the latest signatures from
activeworx as well as the policy manager and integrating those into the
rules to ensure that he is using some of the latest signatures.  Otherwise,
it could be advantageous to move ahead to the daily snapshot and use the
latest rules from current.

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Friday, June 21, 2002 1:07 PM
To: Slighter, Tim
Cc: Jason Gauthier; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort rules touble.


On Fri, 21 Jun 2002, Slighter, Tim wrote:


Will this also resolve the "flow" issue that is happening?


"flow" is a keyword that has been added into the 1.9 developmental branch of
snort.  1.9 is the 'bleeding edge' where all the new features and changes
are
made.  1.8.6+ is the 'stable' or 'bugfix' release.

What happens is this:

        * Bug in 1.9 is found, and fixed.  If the same bug is present in
1.8.x
the fix is backported.
        * Rules are written and updated for the 1.9 tree.  Then the rules
are
backported to the 1.8.x rule base.  If the rule won't work with 1.8.x, ie.
"flow" rules, they are commented out in CVS.

Many times when folks update new rules, they don't really read or understand
the rules, they just say "Hey, look--It's commented out.  I'll add it back
in
so that I'm running _all_ the rules--That way I'll be even _more_
protected!"
That's not a Good Idea(tm).  :)  As our Rule Nazi (Cazz) has said "Things
are
commented out for a reason.  Don't uncomment them unless you understand why
they were commented out in the first place."

There is a script that will update your rules that someone on the list has
written.  It works very well, except for one tiny quirk--By default, it
uncomments any commented out rules.  The author has already said that should
be an option and not a default, so use caution when/if using scripts to
update
your rules.  Heh...  One more reason to do it yourself....  ;-)

Sorry for rambling!  I hope this helps understand a bit!

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: