[Snort-users] Snort rules touble.

Slighter, Tim tslighter at ...5174...
Fri Jun 21 12:16:10 EDT 2002

If Jason is going to go with his intended build of 1.86 and would ultimately
have to comment out anything using "flow", if he needs to stay with that
build, then he might want to consider downloading the latest signatures from
activeworx as well as the policy manager and integrating those into the
rules to ensure that he is using some of the latest signatures.  Otherwise,
it could be advantageous to move ahead to the daily snapshot and use the
latest rules from current.

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...]
Sent: Friday, June 21, 2002 1:07 PM
To: Slighter, Tim
Cc: Jason Gauthier; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort rules touble.

On Fri, 21 Jun 2002, Slighter, Tim wrote:

> Will this also resolve the "flow" issue that is happening?

"flow" is a keyword that has been added into the 1.9 developmental branch of
snort.  1.9 is the 'bleeding edge' where all the new features and changes
made.  1.8.6+ is the 'stable' or 'bugfix' release.

What happens is this:

	* Bug in 1.9 is found, and fixed.  If the same bug is present in
the fix is backported.
	* Rules are written and updated for the 1.9 tree.  Then the rules
backported to the 1.8.x rule base.  If the rule won't work with 1.8.x, ie.
"flow" rules, they are commented out in CVS.

Many times when folks update new rules, they don't really read or understand
the rules, they just say "Hey, look--It's commented out.  I'll add it back
so that I'm running _all_ the rules--That way I'll be even _more_
That's not a Good Idea(tm).  :)  As our Rule Nazi (Cazz) has said "Things
commented out for a reason.  Don't uncomment them unless you understand why
they were commented out in the first place."

There is a script that will update your rules that someone on the list has
written.  It works very well, except for one tiny quirk--By default, it
uncomments any commented out rules.  The author has already said that should
be an option and not a default, so use caution when/if using scripts to
your rules.  Heh...  One more reason to do it yourself....  ;-)

Sorry for rambling!  I hope this helps understand a bit!


Erek Adams

More information about the Snort-users mailing list