Re: Snort 2.8.4 Now Available

[Matt Watchinski <mwatchinski () sourcefire com>]

Sure,

Here is a quick summary of what is on the rules Download Page.

Each of the 2_X packages track the latest minor release.  IE the 2.8
packages contain things that only work in 2.8.3.2.  The next set of
packages released in the 2_8 will track 2.8.4 and will contain all the
netbios changes.

So to answer your question it will break earlier 2.8 releases.

Additionally CURRENT doesn't mean the English Definition of "current"
as in the latest release.  It is a revision control term meaning
latest and greatest CVS snapshot.  Therefore CURRENT could contain
whatever crazy beta features are in the works.

Given all that, here is exactly what is going to happen hopefully today.

1. A new set of rule packages will be released.  If you are a
subscriber and can get rules immediately the following will happen.

The 2.7 rule packages will contain all the OLD NETBIOS rules
The 2.8 rule packages will contain all the NEW NETBIOS rules
The CURRENT rule packages will contain all the NEW NETBIOS rules

2. If your doing automatic updates with oinkmaster and are pointing at
2.8 or CURRENT and are not running 2.8.4 things will break.

If you are a registered user and not a subscriber the above will
happen in 30 days.

Hopefully that explains it.

Cheers,

On Wed, Apr 8, 2009 at 12:51 PM, John Duksta <jduksta () gmail com> wrote:
> Joel (or someone else at SF):
>
> Can we some guidance as to whether the snapshot_2.8_s rules going forward
> are going to utilize the dcerpc2 enhancements (i.e. lose the 5K netbios
> rules that just went away with SF SEU 216), and if so, will the new dcerpc2
> ruleset break earlier 2.8 releases?
>
> Based on the rule maintenance language[1], it sound like it might do so, but
> I suppose it really depends on the content of the rules.
>
> Thanks,
> -j
>
> [1] <quote>Snort rule packages for Subscribers and Registered users track
> the latest feature set for any Major.X release. This means that rule
> packages can contain features that only exist in the latest version of snort
> for a given Major.X release. A simple example is:
>
> If 2.6.1.5 is the current version of snort then the snortrules-snapshot-2.6
> packages might utilize features not supported in 2.6.1.4 and earlier.
>
> Additionally the word CURRENT does not mean "current" as in the English
> dictionary meaning. It mean CURRENT in the BSD source code repository
> meaning. CURRENT tracks SNORT CVS CURRENT, i.e. the the unstable, possibly
> broken version of snort. If you download CURRENT and are not running this
> version of snort, your snort install will break</quote>
>
> --
> John Duksta <jduksta () gmail com>
> Can't sleep, clowns will eat me.
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users