Snort mailing list archives

Re: Rules in Snort 2 but not present in Snort 3

From: Joel Esler via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 24 May 2022 20:25:28 -0400

Those are probably bad examples Jason, as they are preprocessor alerts.

— 
Sent from my  iPad

On May 24, 2022, at 19:38, Jason Hutchinson (jashutch) via Snort-sigs <snort-sigs () lists snort org> wrote:


Hello all,
I am looking into reports that indicate “NON-CUSTOM” Snort rules that are present in Snort v2, but are not seen in 
Snort v3. 
 
It is understood that there are changes to include, but not limited to;
 
Simplified Rule Headers
http* sticky buffers
PCRE flag removal
Matching sub-options
Urilen rule drop
Just to name a few …..
 
Additionally, there are features not supported in Snort 3 that were in Snort 2.
 
Safesearch
YouTube EDU
No TID incident or SI event on blocked event
No TID incident for monitoring
Along with others …
 
 
So,  my specific question is, taking the example two rules below, they can be seen in Snort v2   but not SNORT v3:
"HI_EO_SERVER_INVALID_CHUNK_SIZE"; sid:28; gid:120
"STREAM5_DATA_ON_SYN"; sid:2; gid:129
 
 
Is there some sort of reference that may indicate the reason a rule is no longer listed like the ones stated above?  
Something that may indicate a rule is not seen because….
 
Changes that reduced the need to have multiple rules where one rule would apply to multiple scenarios
Rule is no longer included due to features not supported on Snort v3
 
 
I apologize if this has been covered somewhere.  The above information was included to show there was some effort to 
look for some sort of resource that would provide the answers…
 
Thanks everyone.
 
Jason M. Hutchinson
 
 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Re: Rules in Snort 2 but not present in Snort 3 Jason Hutchinson (jashutch) via Snort-sigs (May 24)
- Re: Rules in Snort 2 but not present in Snort 3 Joel Esler via Snort-sigs (May 24)