[Snort-users] Snort rules touble.

Erek Adams erek at ...577...
Fri Jun 21 12:07:21 EDT 2002


On Fri, 21 Jun 2002, Slighter, Tim wrote:

> Will this also resolve the "flow" issue that is happening?

"flow" is a keyword that has been added into the 1.9 developmental branch of
snort.  1.9 is the 'bleeding edge' where all the new features and changes are
made.  1.8.6+ is the 'stable' or 'bugfix' release.

What happens is this:

	* Bug in 1.9 is found, and fixed.  If the same bug is present in 1.8.x
the fix is backported.
	* Rules are written and updated for the 1.9 tree.  Then the rules are
backported to the 1.8.x rule base.  If the rule won't work with 1.8.x, ie.
"flow" rules, they are commented out in CVS.

Many times when folks update new rules, they don't really read or understand
the rules, they just say "Hey, look--It's commented out.  I'll add it back in
so that I'm running _all_ the rules--That way I'll be even _more_ protected!"
That's not a Good Idea(tm).  :)  As our Rule Nazi (Cazz) has said "Things are
commented out for a reason.  Don't uncomment them unless you understand why
they were commented out in the first place."

There is a script that will update your rules that someone on the list has
written.  It works very well, except for one tiny quirk--By default, it
uncomments any commented out rules.  The author has already said that should
be an option and not a default, so use caution when/if using scripts to update
your rules.  Heh...  One more reason to do it yourself....  ;-)

Sorry for rambling!  I hope this helps understand a bit!

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list