[Snort-sigs] [Emerging-Sigs] [Snort-devel] Snort Now Available

Joel Esler jesler at ...435...
Wed Nov 3 21:48:40 EDT 2010

What versioning in Snort rules do you all find to be acceptable?

Take into account that there is no way we can maintain every version of every build and I am committing to nothing, I would just like to hear some constructive ideas. 

Sent from my iPhone

On Nov 3, 2010, at 9:16 PM, "evilghost at ...3397..." <evilghost at ...3397...> wrote:

> Hash: SHA1
>> several of my projects are current stuck at with NO WAY to move forward 
>> due to the forced updates in certain sources that snort has gone... it bites 
>> huge uglies and many of my clients are extremely upset... you don't hear it but 
>> i sure do :( :( :(
> I made the jump, abandoning Paul Woods mmap libpcap 0.9.8 and using DAQ
> compiled with only AFPACKET (these are 32bitCentOS 5 boxes, I did not want to do
> the libpcap 1.0.0 song and dance).  Check the Snort mailing list, evidently
> CentOS x64 has some issues with AFPACKET.
> I also disabled SO rules.  AFPACKET alone seems to be doing well and all in all
> it wasn't too difficult.  There is a noticible decrease in CPU utilization,
> perhaps 30% or more.  It's difficult to attribute this to a specific action
> since so many variables changed (introduction of, AFPACKET, DAQ, and
> disabling SO rules).
> I do get tired of constantly feeling like I'm hurried into an update and the
> lack of fixing the http reassembly issue regarding http_inspect on hurt
> me.  I'm constantly in a state of instability and flux because of aggressive
> (and really asinine) support schedules.  I'm now using DAQ with AFPACKET;
> something I'm not used to, and change takes a while to validate it's successful.
> I figured I'd offer this up to the group in the event you weren't aware you
> could compile DAQ with AFPACKET only.  Oddly enough Snort had no issues
> compiling against libpcap-0.9.8 -- only DAQ complained.
> - -evilghost
> Version: GnuPG v1.4.10 (GNU/Linux)
> QN4XHg+xwndw5Ee7jEXoUijwCwQlPDkg9w2V9L59od5lDxtJL1tnMyEc7cf9n2vF
> Z9N4FHLGWthme8XSbg2Mz+fZcCk5pxwSN5+BJv3958r9EaSC6k1uz5XF/B2DXWgC
> SqzOsuXAz9XEq9SGShgbjQ2/11P0JwOonc956kioOigUkiTsEs8cmxW1AKslmvbt
> KaFCvPwxnbo7JYQT/canfQgCvMOhgp5i9QW6TiXtoc6mm9dlVVCaeu7ro/m1CFpb
> Pq3lx4f8I43lmsrdUOGXuxqoMom+6tteV1fX1E9dqEukDep8yOvzXd+3lQvk+LLH
> lfUNDbR1i72jETA6USEOShVsi5KNJqGN2XhwV9+RH6Iti0Sw5FIsnvec0i5zYuzW
> FZ/BvJQeVDJdNyptQNbI3qWlAu2hUqyAOyIiTeixV2/9YVrNqDXAcBHzrZyGZYAm
> B5lL2lNUirb6btDvnaU2PaJqwByAcVyodeBsfOO1GeNh7+T+RfMCkVTy/AQbXPD0
> A6nqQS5fxo4Vw+wP6Xpkbly+RDeASrlZoljPqkaMofG43ECbqCD4I6VJPbrDs+3s
> KJ2opZ3O7niKxOynVZac
> =/fS9
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

More information about the Snort-sigs mailing list