Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Changes in the latest rule packs

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Fri, 3 Dec 2010 12:20:11 -0500

I know at least one person has noticed, but for those of you who 
haven't, we made a small change in the latest rule pack download on 
snort.org. My apologies for not sending out an advanced warning notice, 
but since most people use snort.org to view the documents, the change 
is seamless for the majority.

So what did we (or I should say, I) do?

We removed the rule docs from the rule tar balls and made them 
available separately.

There is only one rule doc tar ball for registered and subscribed 
users. You can download them from the rule download page on snort.org 
at https://www.snort.org/snort-rules/ or you can use the command line 
to download. The links for the command line download are:

Subscribed Users:
 http://www.snort.org/sub-rules/opensource.gz/<oinkcode>

Registered Users:
 http://www.snort.org/reg-rules/opensource.gz/<oinkcode>

Additionally, since there is no difference in the two tar balls, 
registered users can also use the subscriber link above and still get 
the docs. The two links are provided above for those folks who like to 
see consistency in their scripts :D

Of course, you can still view the rule documentation on snort.org as 
normal from:

 http://www.snort.org/search/sid/<GID>-<SID>

Note: for GID 1 rules, the GID is not necessary but the search will 
work with the <GID> being 1.

As we move forward, we are thinking of changing the layout in the rule 
doc tar ball so that the directory limit for listing files using ls 
does not hamper those who need to do that. Right now, there are 
somewhere around 17 thousand individual documents all housed in one 
directory called signatures/. Quite a long time ago, we changed our 
storage for rule documentation and our layout in cvs for the rule 
documents follows the following format:

  Dir:    Contains:
 
  0/   docs from 100 through 999
  1/   docs from 1000 through 1999
  2/   docs from 2000 through 2999
  3/   docs from 3000 through 3999
  4/   docs from 4000 through 4999
  5/   docs from 5000 through 5999
  6/   docs from 6000 through 6999
  7/   docs from 7000 through 7999
  8/   docs from 8000 through 8999
  9/   docs from 9000 through 9999
  10/  docs from 10000 through 10999
  11/  docs from 11000 through 11999
  12/  docs from 12000 through 12999
  13/  docs from 13000 through 12999
  14/  docs from 14000 through 14999
  15/  docs from 15000 through 15999
  16/  docs from 16000 through 16999
  17/  docs from 17000 through 17999
  18/  docs from 18000 through 18999
  so_rules/        so_rule docs
  pre-processors/  pre-processor docs
  deleted/         rule documents for those rules that have been 
deleted.

Obviously, this has an affect for those users using the rule docs 
locally, scripts, uric etc would need to be modified, but in the long 
run it might make life a little easier. Bear in mind, whatever you use 
to view rule documentation from a local source would have to be smart 
enough to know that if a rule SID is in the 100 to 9999 range, the 
directory name is only one digit, if the rule GID is 3 then it is in 
the so_rules directory and starts with 3- and if the GID is something 
higher then it is in the pre-processors directory and starts with the 
GID. You could of course, un-tar the contents into the old signatures/ 
directory if you don't care about listing the contents of the directory 
and don't want to change anything. Personally, I manage the rule 
documentation using Perl scripts and a sid-msg.map (I have a special 
one that contains all rules and has the GID in there) and it works 
well. If anyone has any objections, ideas or would like us to do this 
sooner rather than later, please let us know.

If anyone wants my special sid-msg.map generation script, I will be 
happy to put it up somewhere for you to download and use. Just let me 
know.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: