Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ubuntu 11.04 / 10 rulesset

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 31 Oct 2011 12:12:50 -0400
On Oct 31, 2011, at 11:44 AM, Mike Lococo wrote:

On 10/31/2011 09:42 AM, Marcin Nawrocki wrote:

Do I have to compile / create my own snort rules for the recent
versions of ubuntu or can I use the delivered rules for the
LTS-version? If I have to do it by myself, how to do this manually?


I recently filed an Ubuntu bug regarding exactly this issue:
https://bugs.launchpad.net/ubuntu/+source/snort/+bug/872582

In short, the version of Snort provided with Ubuntu is no longer 
supported by Sourcefire and will not run recent VRT rules.  There is 
nothing you can do to make it do so.  You can run whatever is in the 
snort-rules package, but I don't believe that the sigs in that package 
can't have been updated for at least a year.  It's more likely that 
those are the sigs that were released with 2.8.5.2 in December of 2009, 
and consequently would be missing detection for any threat that has 
evolved or emerged since then (aka, almost everything that matters).


Actually, more incorrectly, the rules distributed WITH ubuntu are the GPL'ed ones.  SID 3464 and below.  So, very old.



As an alternate, you can custom install pulledpork and use it to 
download the Emerging-Threats Open ruleset which does still support the 
2.8.5.x series.  That's a quality ruleset in my opinion and you could do 
worse than to use it, but you can't run the VRT rules.


You can run the VRT rules, but we are adding keywords all the time that will break compatibility, and 2.8.5.2 can't use 
any of the newer features of the ruleset.  There's a reason we update Snort and add better detection and magical 
keywords like "file_data".  I really which ET would stop "supporting" that far back.  It's like enabling a drug addict 
to not quit.  It hurts more than helps.


Another alternative is installing current snort from Source, which is 
what most serious Snort users do.  There are guides out there on how to 
do so, but it is many many times more work than apt-get install.



Yes! That.



------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook 
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps 
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple 
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: