[Snort-sigs] VRT Release 2010-02-23 uses "detection_filter"

evilghost at ...3397... evilghost at ...3397...
Fri Feb 26 12:05:29 EST 2010


While it is in poor taste to reply to my own message, in this case it's 
necessary.  For those who have elected to upgrade or are planning to 
upgrade to 2.8.5.3 as a result of the VRT rule changes please be advised 
that the -L flag does not work in 2.8.5.3.  Evidently this is a known 
issue (I did report it to the team) and has been resolved in 2.8.6 RC.  
There is no "known bugs" listing/document in 2.8.5.3, instead, this bug 
is identified and corrected in 2.8.6 RC change log.

In my environment this caused some havoc as the -L flag was used to 
separate logging for multiple BPF flow-pinned instances.  The -L flag is 
ignored and all files log to snort.log.{epoch}.  There could be file 
contention and clobbering as multiple instances attempt to write to the 
same file; I have not investigated this further to see if this is indeed 
the case.

I used the -l flag to dump the files into a separate directory using the 
same naming convention as the now defunct -L flag used.

-evilghost




More information about the Snort-sigs mailing list