[Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset?

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Mon May 3 09:12:01 EDT 2004


Although this may sound trivial, does it then follow that in order to
utilize the most current signatures and to detect all of the latest
exploits, that users should always upgrade and run the most current Snort
release? If so, then it is an important statement that should be well
known, so that there is no question about why certain signatures reside
only in the CURRENT ruleset and not in down-level releases. This
understanding is especially important in larger environments where I/T is
hesitant about always using the latest and greatest in production. The
concept is also a bit different than Antivirus vendors who design their
signatures to span across AV engines that are back-leveled. I believe that
this (confusion/frustration) is the cause for a recent movement by some to
develop their own signature update archive for Snort rather than using the

PS- Marty, I look forward to any comments that you may have at tomorrow's

Best Regards,

                      Brian <bmc at ...95...>                                                                                                      
                      Sent by:                           To:       Martin Roesch <roesch at ...435...>                                         
                      snort-sigs-admin at ...551...        cc:       Jason Haar <Jason.Haar at ...651...>, snort-sigs at lists.sourceforge.net       
                      ceforge.net                        Subject:  Re: [Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset?            
                      05/02/2004 09:33 PM                                                                                                        

On Sun, May 02, 2004 at 08:49:16PM -0400, Martin Roesch wrote:
> > The CURRENT ruleset does have references, so any idea when they
> > become "official"?
> They're "official" in that they're out in CURRENT, dunno why they
> haven't been backported in the 2.1 snapshot unless there's an issue
> with flowbits functionality in 2.1.2+, I'll ask Caswell.

Large number of people run 2.1.0, which doesn't support flowbits.  The
2.1 snapshot is for anyone running ANY version of the 2.1 branch.

CURRENT should always work if you are using the latest release or
release canidate.

One of these days, I may get traction for SANE version number
incrementing for Snort.  (aka, massive change gets major, new features
get minor bump, bug fixes get reversion)


This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list