Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ubuntu 11.04 / 10 rulesset

From: Mike Lococo <mikelococo () gmail com>
Date: Mon, 31 Oct 2011 11:44:29 -0400
On 10/31/2011 09:42 AM, Marcin Nawrocki wrote:

Do I have to compile / create my own snort rules for the recent
versions of ubuntu or can I use the delivered rules for the
LTS-version? If I have to do it by myself, how to do this manually?


I recently filed an Ubuntu bug regarding exactly this issue:
https://bugs.launchpad.net/ubuntu/+source/snort/+bug/872582

In short, the version of Snort provided with Ubuntu is no longer 
supported by Sourcefire and will not run recent VRT rules.  There is 
nothing you can do to make it do so.  You can run whatever is in the 
snort-rules package, but I don't believe that the sigs in that package 
can't have been updated for at least a year.  It's more likely that 
those are the sigs that were released with 2.8.5.2 in December of 2009, 
and consequently would be missing detection for any threat that has 
evolved or emerged since then (aka, almost everything that matters).

As an alternate, you can custom install pulledpork and use it to 
download the Emerging-Threats Open ruleset which does still support the 
2.8.5.x series.  That's a quality ruleset in my opinion and you could do 
worse than to use it, but you can't run the VRT rules.

Another alternative is installing current snort from Source, which is 
what most serious Snort users do.  There are guides out there on how to 
do so, but it is many many times more work than apt-get install.

As an aside, if you use Ubuntu and want the Snort package updated, go 
log into launchpad and click the "Does this bug affect you" link to move 
it up their priority list.  I'm not sure what rationale Ubuntu is using 
to decide what version to ship, I have a suspicion that they don't have 
an active maintainer for the Snort package and that it just isn't 
getting much attention.

Cheers,
Mike

------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook 
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps 
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple 
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: