Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ubuntu 11.04 / 10 rulesset

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 31 Oct 2011 14:46:06 -0400
On Oct 31, 2011, at 2:23 PM, Mike Lococo wrote:


Actually, more incorrectly, the rules distributed WITH ubuntu are
theGPL'ed ones. SID 3464 and below. So, very old.


That's worse than I thought.  That means that Snort as shipped by Ubuntu 
provides absolutely no protection against any credible threat scenario. 
 The GPL rules are almost universally a throwback to a different time, 
no real attackers are using any of the techniques those sigs look for today.



It depends.  There are some useful rules that still fire in the GPL set.  But you are right, in order to be protected 
you need to have the most updated ruleset and engine.


As an alternate, you can custom install pulledpork and use it to
download the Emerging-Threats Open ruleset which does still support
the 2.8.5.x series.  That's a quality ruleset in my opinion and you
could do worse than to use it, but you can't run the VRT rules.


You can run the VRT rules, but we are adding keywords all the time
that will break compatibility, and 2.8.5.2 can't use any of the newer
features...


If I recall correctly, it's not just that 2.8.5.2 won't take advantage 
of the new keywords.  It will crash on startup and give you the sid of 
precisely one rule that uses an incompatible keyword.  You'll have to 
iteratively try running Snort and disabling the offending rule until 
there are no more rules that use new keywords.  How many rules are there 
that use incompatible keywords?  Is it in the hundreds or thousands? 
With one restart for each to troubleshoot.  Plus you'll have to go 
through the same process for each ruleset update, although the delta 
each week is probably only a dozen rules or so.


That delta will be increasing.  So I wouldn't bet on it.
------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook 
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps 
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple 
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: