Re: Rule Migration Cheat Sheet?

[Joel Esler <jesler () sourcefire com>]

Bert,

BTW -- I had to allow your email through manually, you might want to subscribe to snort-sigs to post.

There are several new keywords (file_data, byte_extract, http_*)  We don't have a specific conversion cheat sheet, as 
the old rule options still work fine,  the new rule options just allow for clarification of functionality and a more 
specific and efficient rule writing process.  

That being said, I know a lot of you want to get your rules updated to Snort 2.9 format, I am just swamped, and I know 
I won't get to it until late January.  If anyone from the community wants to write a cheat sheet document, we'll review 
it, I'll put it on the blog, snort.org, and I'll give you a free VRT rule subscription for a year.

Takers?

Joel

On Dec 21, 2010, at 2:51 PM, Hayes, Bert (ISO) wrote:

> My apologies if this has already been covered elsewhere; if it has, I sure
> can't find it.
>
> I'm upgrading a non-production system from Debian's Snort 2.7 package to
> Snort 2.9.0.3 compiled from source.  This system only uses a handful of
> custom rules that I've written myself for post-mortem pcap analysis of
> malware, etc.  I'm not using VRT, ET, ET Pro, etc.  Just a few rules dumped
> from my brain.
>
> I'm aware that there were some big changes in rule syntax as of 2.8.6 (man,
> am I aware) but I can't find a concise, coherent explanation of what the
> specific changes are.  I can find tons of links re: how to get new and
> improved rules that others have written, but nothing that addresses how to
> re-write my own rules.
>
> Anybody got a link?  Can it be posted to the Snort blog (I know it's not
> exactly timely, but it could help others).
>
> Thanks.
>
> -Bert
>
> --
> Bert Hayes, GCIH
> Senior Network Security Analyst
> University of Texas at Austin
> Information Security Office
>
>
> ------------------------------------------------------------------------------
> Forrester recently released a report on the Return on Investment (ROI) of
> Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
> within 7 months.  Over 3 million businesses have gone Google with Google Apps:
> an online email calendar, and document program that's accessible from your 
> browser. Read the Forrester report: 
> http://p.sf.net/sfu/googleapps-sfnew_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your 
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs