[Snort-users] current rules that work in snort 1.7

Max Vision vision at ...4...
Fri Apr 27 23:00:49 EDT 2001


Hi,

There have been quite a few cool new additions to Snort since the 1.7 
release, and as many have found out the hard way, the available rulesets 
have started to include functionality that is only available to Snort 1.8 
beta users. Oops!  Turns out that was a bad idea.

To address this problem, arachNIDS now exports a snort 1.7 and snort 1.8 
compatible signature file.  Since there are no signatures actually stored 
in the database (all "signatures" are dynamically created in realtime from 
other information in the database), this was really straightforward.

The new features that had creeped into the snort 1.8 ruleset are the 
plugins "telnet_decode", "rpc_decode", "bo", "stream2" and the keywords 
"classtype", "reference", and "uricontent".  Appropriate equivalents are 
used in the backwards-compatible ruleset so Snort 1.7 users can enjoy the 
more recent rule additions.

The new rulesets are available at:

default is compatible with snort 1.7:
   http://whitehats.com/ids/vision.conf.gz
   http://whitehats.com/ids/vision.rules.gz

version for snort 1.7 (same as above):
   http://whitehats.com/ids/vision17.conf.gz
   http://whitehats.com/ids/vision17.rules.gz

version for snort 1.8+:
   http://whitehats.com/ids/vision18.conf.gz
   http://whitehats.com/ids/vision18.rules.gz

Max





More information about the Snort-users mailing list