[Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset ?

Moyer, Shawn SMoyer at ...758...
Mon May 3 13:22:19 EDT 2004


Agreed. It ALSO follows that the $#%! URL shouldn't change bi-annually. Would be nice PR to say "run the latest snort src, update with the sigs from ${URL} daily, and you'll detect the latest icky stuff". As of right now, that's only true if you read this list.


--shawn
 

-----Original Message-----
From: Mark.Schutzmann at ...2233... [mailto:Mark.Schutzmann at ...2233...] 
Sent: Monday, May 03, 2004 10:49 AM
To: Brian
Cc: Jason Haar; Martin Roesch; snort-sigs at lists.sourceforge.net; snort-sigs-admin at lists.sourceforge.net
Subject: Re: [Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset?


Brian,

Although this may sound trivial, does it then follow that in order to utilize the most current signatures and to detect all of the latest exploits, that users should always upgrade and run the most current Snort release? If so, then it is an important statement that should be well known, so that there is no question about why certain signatures reside only in the CURRENT ruleset and not in down-level releases. This understanding is especially important in larger environments where I/T is hesitant about always using the latest and greatest in production. The concept is also a bit different than Antivirus vendors who design their signatures to span across AV engines that are back-leveled. I believe that this (confusion/frustration) is the cause for a recent movement by some to develop their own signature update archive for Snort rather than using the CVS.

PS- Marty, I look forward to any comments that you may have at tomorrow's seminar.

Best Regards,
Mark


                                                                                                                                                 
                      Brian <bmc at ...95...>                                                                                                      
                      Sent by:                           To:       Martin Roesch <roesch at ...435...>                                         
                      snort-sigs-admin at ...551...        cc:       Jason Haar <Jason.Haar at ...651...>, snort-sigs at lists.sourceforge.net       
                      ceforge.net                        Subject:  Re: [Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset?            
                                                                                                                                                 
                                                                                                                                                 
                      05/02/2004 09:33 PM                                                                                                        
                                                                                                                                                 
                                                                                                                                                 




On Sun, May 02, 2004 at 08:49:16PM -0400, Martin Roesch wrote:
> > The CURRENT ruleset does have references, so any idea when they 
> > become "official"?
>
> They're "official" in that they're out in CURRENT, dunno why they 
> haven't been backported in the 2.1 snapshot unless there's an issue 
> with flowbits functionality in 2.1.2+, I'll ask Caswell.

Large number of people run 2.1.0, which doesn't support flowbits.  The
2.1 snapshot is for anyone running ANY version of the 2.1 branch.

CURRENT should always work if you are using the latest release or release canidate.

One of these days, I may get traction for SANE version number incrementing for Snort.  (aka, massive change gets major, new features get minor bump, bug fixes get reversion)

Brian


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs







-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list