[Snort-sigs] VRT Release 2010-02-23 uses "detection_filter"

evilghost at ...3397... evilghost at ...3397...
Wed Feb 24 10:41:42 EST 2010

Thanks Matt, honestly these *specific* changes announced in advance 
would be helpful.  Things move slowly in the enterprise and often times 
justification is needed outside of "this is the latest version" to 
proceed with changes in a production IDS environment.  "Please be 
advised that on 02/23/2010 the VRT signatures now use detection_filter, 
users should plan an upgrade to 2.8.5" would be helpful if announced 
prior to the actual implementation of these changes and before I started 
assassinating my Snort processes.  I would imagine 14 days would be 
reasonable, or even 7 days, but at least allocate some time to permit an 
upgrade and warn your user-base of the impending destruction for 
"legacy" users.

Thank you for your consideration.


Matt Olney wrote:
> You know, it probably isn't unreasonable for us to call out changes
> like that.  Going forward we'll see what we can do.  That being said,
> we have called out that those who don't stay up with the latest Snort
> may have issues:
> Note: Snort rule packages for Subscribers and Registered Users track
> the latest patch release for any major version. This means that rule
> packages may make use of features that only exist in the latest
> version of Snort. A simple example is: If 2.8.4 is the current version
> of Snort then the snortrules-snapshot-2.8 packages might use features
> not available in and earlier.
> (http://www.snort.org/snort-rules)
> Matt
> On Wed, Feb 24, 2010 at 10:26 AM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
>> While I truly enjoy surprises sometimes I'm disappointed when the gift
>> isn't something I wanted.  In this case the gift was given to me by VRT
>> and came in the form of "detection_filter".  As I eagerly unpacked the
>> tar-gzip, giddy like the child on Christmas morning, my happiness turned
>> to sadness.  Santa brought me some coal, have I really been that bad?
>> It made my Snorts become very unhappy (evidently they don't like
>> surprises like I do).  Sure I can sed these out but a little advance
>> warning is nice.  Note, advance warning does not constitute "Snort 2.8.5
>> is current, you should be running it" or the genetic catch-all warning
>> currently in place.  Specific warnings such as "These VRT rules are
>> using detection_filter" would be highly appreciated and would allow me
>> react accordingly before I dropped a few depth-charges on my Snorts.
>> http://www.snort.org/vrt/docs/ruleset_changelogs/2_8/changes-2010-02-23.html
>> -evilghost
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list