Snort mailing list archives

Re: Snort Rules changelog

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 14 Sep 2011 10:30:03 -0400

Chris,

This is what the mailing list is for.  The thing to remember about the power of the Snort community is that there are 
beginners and there are experts.  Experts help out the beginners in order to build a stronger and larger community.  

There are no stupid questions, just stupid answers.

J

On Sep 14, 2011, at 9:25 AM, C Granger wrote:

Haha it would drive me crazy answering dumb questions like this. They two different rules that work differently, you 
filthy monkey! I response on mailing list yeah

Sent from my iPad

On Sep 14, 2011, at 9:07 AM, uri shalev <dabitter () gmail com> wrote:

Hi all,
I'm trying to understand the rules changelog:
i.e., this page - http://www.snort.org/vrt/docs/ruleset_changelogs/2_9_1_0/changes-2011-09-13.html
     • Does every line actually stands for a new, unique IPS solution addressing the vulnerability described (under 
the 'New Rules')?
     • In the 'Modified Rules' section, are these existing rules that have been improved?
     • Some of the rules address the same issues, with a slight difference, for instance: 
 * 1:20097 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.dcir infected host at destination ip (botnet-cnc.rules)
 * 1:20096 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.dcir outbound connection (botnet-cnc.rules)

 
Again, do they stand for an individual solution or are they two parts of the same protection?
Maybe I'm missing the entire concept of the rules system, I'd appreciate it if you could help me understand it a 
little better.


------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort Rules changelog uri shalev (Sep 14)
- Re: Snort Rules changelog Alex Kirk (Sep 14)
- Re: Snort Rules changelog C Granger (Sep 14)
  - Re: Snort Rules changelog Joel Esler (Sep 14)
    - Re: Snort Rules changelog Chris Granger (Sep 14)