[Snort-sigs] Rule Migration Cheat Sheet?
jesler at ...435...
Wed Dec 22 10:13:40 EST 2010
BTW -- I had to allow your email through manually, you might want to subscribe to snort-sigs to post.
There are several new keywords (file_data, byte_extract, http_*) We don't have a specific conversion cheat sheet, as the old rule options still work fine, the new rule options just allow for clarification of functionality and a more specific and efficient rule writing process.
That being said, I know a lot of you want to get your rules updated to Snort 2.9 format, I am just swamped, and I know I won't get to it until late January. If anyone from the community wants to write a cheat sheet document, we'll review it, I'll put it on the blog, snort.org, and I'll give you a free VRT rule subscription for a year.
On Dec 21, 2010, at 2:51 PM, Hayes, Bert (ISO) wrote:
> My apologies if this has already been covered elsewhere; if it has, I sure
> can't find it.
> I'm upgrading a non-production system from Debian's Snort 2.7 package to
> Snort 188.8.131.52 compiled from source. This system only uses a handful of
> custom rules that I've written myself for post-mortem pcap analysis of
> malware, etc. I'm not using VRT, ET, ET Pro, etc. Just a few rules dumped
> from my brain.
> I'm aware that there were some big changes in rule syntax as of 2.8.6 (man,
> am I aware) but I can't find a concise, coherent explanation of what the
> specific changes are. I can find tons of links re: how to get new and
> improved rules that others have written, but nothing that addresses how to
> re-write my own rules.
> Anybody got a link? Can it be posted to the Snort blog (I know it's not
> exactly timely, but it could help others).
> Bert Hayes, GCIH
> Senior Network Security Analyst
> University of Texas at Austin
> Information Security Office
> Forrester recently released a report on the Return on Investment (ROI) of
> Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
> within 7 months. Over 3 million businesses have gone Google with Google Apps:
> an online email calendar, and document program that's accessible from your
> browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs