[Snort-sigs] Rule Migration Cheat Sheet?

Hayes, Bert (ISO) bhayes at ...3542...
Tue Dec 21 14:51:40 EST 2010


My apologies if this has already been covered elsewhere; if it has, I sure
can't find it.

I'm upgrading a non-production system from Debian's Snort 2.7 package to
Snort 2.9.0.3 compiled from source.  This system only uses a handful of
custom rules that I've written myself for post-mortem pcap analysis of
malware, etc.  I'm not using VRT, ET, ET Pro, etc.  Just a few rules dumped
from my brain.

I'm aware that there were some big changes in rule syntax as of 2.8.6 (man,
am I aware) but I can't find a concise, coherent explanation of what the
specific changes are.  I can find tons of links re: how to get new and
improved rules that others have written, but nothing that addresses how to
re-write my own rules.

Anybody got a link?  Can it be posted to the Snort blog (I know it's not
exactly timely, but it could help others).

Thanks.

-Bert

--
Bert Hayes, GCIH
Senior Network Security Analyst
University of Texas at Austin
Information Security Office


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5557 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101221/6fba2e7b/attachment.bin>


More information about the Snort-sigs mailing list