[Snort-sigs] old rules with newer snort

John Pritchard john.r.pritchard at ...2420...
Wed Mar 5 12:13:11 EST 2008


There is another potential "gotcha" to consider if you're attempting
to take an older rule set and make it work with Snort 2.8.x.

IF you have a lot of pass rules, you will need to be sure that each
pass rule is assigned a unique sig_sid..... Historically, pass rules
didn't require sig_sids, and they also didn't detect duplication in
use of sig_sids.

Historically, we had written numerous pass rules for situations of
detection rules triggering off benign traffic. And, to address, we
would write highly specific pass rules where the rule option portion
would utilize the same sig_sid as the detection rule (so that we could
easily reference which detection rule the pass rule was tuning). This
workflow broke with Snort 2.8.

I understand the need to be efficient with reuse of code and I suspect
this is where/why the enforcement of unique sig_sids came into play
with Snort 2.8. But, it did produce hurdle for upgrading to Snort 2.8,
and something to consider if you have large numbers of pass rules that
currently don't have sig_sids or they aren't all unique.

Cheers, John

On Wed, Mar 5, 2008 at 8:37 AM, Sven Wurth <swurth at ...2481...> wrote:
> We like to use older rules with a newer snort only for a short time,
>  because of a migration.
>  Thanks for your quick response!
>  Kind regards
>  Sven
>
>  ________________________________________
>  Von: Joel Esler [mailto:joel.esler at ...435...]
>  Gesendet: Mittwoch, 5. März 2008 17:30
>  An: Sven Wurth
>  Cc: Snort-sigs at lists.sourceforge.net
>  Betreff: Re: [Snort-sigs] old rules with newer snort
>
>
>
>  Yes, You can use older rules with a newer Snort, but not newer rules with an older Snort.
>
>  Why would you want to use older rules?  Can't you use the current ones?
>
>  Joel
>
>  On Mar 5, 2008, at 11:11 AM, Sven Wurth wrote:
>
>
>  Hi Snort-sigs
>  Does anybody know if it's possible to use old snort rules with a newer snort?
>  Example: vrt-rules in Version 2.6 and a snort 2.8
>
>  Thanks
>  Kind regards
>  Sven
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
>  Snort-sigs mailing list
>  Snort-sigs at lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>  --
>  Joel Esler  joel.esler at ...435...
>
>
>
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>  _______________________________________________
>  Snort-sigs mailing list
>  Snort-sigs at lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/snort-sigs
>


More information about the Snort-sigs mailing list