[Snort-sigs] Rules current -> 1.9

Frank Knobbe fknobbe at ...1264...
Fri Feb 7 04:35:11 EST 2003


after discussion on #snort and snort-users, I went ahead and
'back-ported' the Snort-current rules from CVS to Snort 1.9.

The problem was that neither the stable checkout of CVS (snort_1_9) nor
the snort-stable tarball contained current rules. I fetched the one from
Snort 2.0 and made following changes:

- Removed byte_test rule option.
- Removed byte_jump rule option.
- Changed HOME_NET to DNS_SERVERS in dns.rules as Massimo had suggested
(It just made sense to do it).

Other changes you will notice is the migration from the flags: option to
the flow: option.

Because of these changes, you should keep an eye on Snort. Russell
Fulton and myself have been running these rules for a few days without
any ill effects (that means, I'm still getting the same amount of
scans/worms/false positives as before). 

Russell and myself have volunteered to keep Snort 1.9 rules current. If
you do have any suggestions or changes, please pass them on to us.

The last sid is 2003, the Slammer/Sapphire worm.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: rules-1.9.tgz
Type: application/x-gzip
Size: 90973 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030207/1ec38ce3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030207/1ec38ce3/attachment.sig>

More information about the Snort-sigs mailing list