Snort mailing list archives

Re: Snort version vs Snort rules version

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 11 Jan 2011 12:46:53 -0500

You are correct.  I apologize.

You can use OLDER versions of rules with NEWER versions of Snort.

J

On Tue, Jan 11, 2011 at 12:40 PM, NA <dustypath () comcast net> wrote:

Sorry to belabor the point,

I am thinking you mean any OLD version of rules works with any NEWER
version of Snort by default (leaving out possible rule writing changes
done years ago, if any, for the sake of discussion). To tighten it up
further is it the recommendation or is it you HAVE to use the matching
or lower version ruleset of the Snort version installed?

J
The reply below seems conflicted, did you mean:


You can't use 2.9.0.3 rules (for example) with 2.9.0.2?

Btoo


On 1/11/11 8:59 AM, Joel Esler wrote:

No, If you are using 2.9.0.3, any version of rules will work with it.

You can't use 2.9.0.2 rules (for example) with 2.9.0.3.

J

On Tue, Jan 11, 2011 at 11:55 AM, NA <dustypath () comcast net
<mailto:dustypath () comcast net>> wrote:

    Thanks,
    So this means major version of Snort as in 2.9 work with any 2.9xx
    ruleset? Would this mean there will be no issues? Would it be
    better to use matching versions (as in fewer hiccups, unfamiliar
    FPs and such)?



    On 1/11/11 8:27 AM, Joel Esler wrote:

        You should always use the correct version of rules with the
        correct version of Snort.  However, I see your dilemma.  Let
        me think about this a bit and see if we can come up with a
        solution.

        J

        On Tue, Jan 11, 2011 at 11:16 AM, NA <dustypath () comcast net
<mailto:dustypath () comcast net> <mailto:dustypath () comcast net
<mailto:dustypath () comcast net>>> wrote:

           Hello all,

           It may be obvious to many that the Snort ruleset version
        should match
           the Snort installed version but I found myself in a different
           situation.

           Concentrating on installing the latest Snort with all the
other
           accompanying programs was my first priority. Then moving on to
           configuring and using Snort I found that the latest rules were
           subscriber only and choose to install the registered
        version ruleset.

           So this begs the question, is it a bad idea to use the
        latest Snort
           version with the registered ruleset? Is there some rule of
        thumb to go
           by to avoid problems?

           Thanks

------------------------------------------------------------------------------

           Protect Your Site and Customers from Malware Attacks
           Learn about various malware tactics and how to avoid them.
        Understand
           malware threats, the impact they can have on your business,
and
           how you
           can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
           _______________________________________________
           Snort-users mailing list
Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net>
<mailto:Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net>>

           Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
           Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




        --         Joel Esler
Skype:eslerjoel
http://blog.snort.org





--
Joel Esler
Skype:eslerjoel
http://blog.snort.org



------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Joel Esler
Skype:eslerjoel
http://blog.snort.org

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort version vs Snort rules version NA (Jan 11)
- Re: Snort version vs Snort rules version Joel Esler (Jan 11)
  - Re: Snort version vs Snort rules version waldo kitty (Jan 11)
    - Re: Snort version vs Snort rules version Joel Esler (Jan 11)
- Re: Snort version vs Snort rules version Nigel Houghton (Jan 11)
- <Possible follow-ups>
- Re: Snort version vs Snort rules version NA (Jan 11)
  - Re: Snort version vs Snort rules version Joel Esler (Jan 11)