Snort mailing list archives
Re: VRT Release 2010-02-23 uses "detection_filter"
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Wed, 24 Feb 2010 10:58:42 -0500
On Wed, Feb 24, 2010 at 10:41 AM, evilghost () packetmail net <evilghost () packetmail net> wrote:
Thanks Matt, honestly these *specific* changes announced in advance would be helpful. Things move slowly in the enterprise and often times justification is needed outside of "this is the latest version" to proceed with changes in a production IDS environment. "Please be advised that on 02/23/2010 the VRT signatures now use detection_filter, users should plan an upgrade to 2.8.5" would be helpful if announced prior to the actual implementation of these changes and before I started assassinating my Snort processes. I would imagine 14 days would be reasonable, or even 7 days, but at least allocate some time to permit an upgrade and warn your user-base of the impending destruction for "legacy" users. Thank you for your consideration. -evilghost Matt Olney wrote:You know, it probably isn't unreasonable for us to call out changes like that. Going forward we'll see what we can do. That being said, we have called out that those who don't stay up with the latest Snort may have issues: Note: Snort rule packages for Subscribers and Registered Users track the latest patch release for any major version. This means that rule packages may make use of features that only exist in the latest version of Snort. A simple example is: If 2.8.4 is the current version of Snort then the snortrules-snapshot-2.8 packages might use features not available in 2.8.3.2 and earlier. (http://www.snort.org/snort-rules) Matt On Wed, Feb 24, 2010 at 10:26 AM, evilghost () packetmail net <evilghost () packetmail net> wrote:While I truly enjoy surprises sometimes I'm disappointed when the gift isn't something I wanted. In this case the gift was given to me by VRT and came in the form of "detection_filter". As I eagerly unpacked the tar-gzip, giddy like the child on Christmas morning, my happiness turned to sadness. Santa brought me some coal, have I really been that bad? It made my 2.8.4.1 Snorts become very unhappy (evidently they don't like surprises like I do). Sure I can sed these out but a little advance warning is nice. Note, advance warning does not constitute "Snort 2.8.5 is current, you should be running it" or the genetic catch-all warning currently in place. Specific warnings such as "These VRT rules are using detection_filter" would be highly appreciated and would allow me react accordingly before I dropped a few depth-charges on my Snorts. http://www.snort.org/vrt/docs/ruleset_changelogs/2_8/changes-2010-02-23.html -evilghost ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
I know not everyone follows our blog, but sometimes, there is useful information on it: http://vrt-sourcefire.blogspot.com/2009/09/snort-285-release.html Wednesday, September 16, 2009 "All VRT Certified rule releases will now be 2.8.5 compliant and we will cease to support 2.8.4 (in 90 days) in favor of this latest release." We actually let it go longer than 90 days. You can choose not to read it of course, and to help out those folks who choose not to but who are subscribed to this list, I will try to send an email when impending doom lurks on the horizon. No promises though. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- VRT Release 2010-02-23 uses "detection_filter" evilghost () packetmail net (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Matt Olney (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" evilghost () packetmail net (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Nigel Houghton (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" evilghost () packetmail net (Feb 26)
- Re: [Emerging-Sigs] VRT Release 2010-02-23 uses "detection_filter" David Guimaraes (Mar 27)
- Re: VRT Release 2010-02-23 uses "detection_filter" evilghost () packetmail net (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Jeff Kell (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Matt Olney (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Sandro guly Zaccarini (Feb 24)