[Snort-users] Problem with Snort 2.0.4 and Snort Rules

Matt Kettler mkettler at ...4108...
Wed Nov 19 09:09:09 EST 2003


At 09:10 PM 11/18/2003, Nigel Houghton wrote:
>  Use the stable rules with 2.0.4, or just the rules that come with 2.0.4,
>: but the "current" rules are never guaranteed to work with anything but
>: the "current" version of snort, which is a development snapshot not a
>: numbered release.
>
>Please look at:
>
>  http://www.snort.org/source.html
>
>"Right now, CURRENT is stable. Please use CURRENT."

Ahh, but if you look at

http://www.snort.org/dl/rules/

You'll see that the mis-statement has been corrected... STABLE is for 
2.0.x, CURRENT is for 2.1.x.. CURRENT isn't STABLE anymore..

I hope everyone involved takes this as constructive criticism from an 
honest supporter of snort, but one of these days Snort should strongly 
consider having a consistent naming convention for files on their website, 
set it down fairly firm and make both web and devel sides agree to it. I've 
been using snort for many years now, and this kind of constant 
naming/compatibility inconsistency as to what rules work with what versions 
of snort is nothing new.

It's also long since been very true that the snort.org website notes about 
the state of packages severely lags changes on the development side. A lot 
of this is just a matter of the fact that the snort team seems to be a 
bunch of very busy people. This is why having a consistent convention is 
helpful not just to users, but the snort team as well. If current and 
stable keep changing meaning on the devel side every 6 months, the website 
will likely not always reflect the current status. However, if branches 
retain their meaning, then nobody has to keep updating the website and 
hunting through all the text to find all the now outdated and incorrect 
references.

I understand the need to make a development branch that may or may not work 
with the latest numbered release, but the constant flip-flop between what 
release names of what files end users should be using as a stable release 
needs to stop. It's a bad trend for snort, it confuses users, and it makes 
unnecessary work for your own website maintainers.

As far as I can tell the only guarantee that has held true over the past 
several years is that CURRENT rules will always work with CURRENT code. 
Sometimes CURRENT works with STABLE and the latest numbered release, but 
that's not always true.

Certainly making statements like "CURRENT is now STABLE" is a bad idea in 
general. I believe at the time it was done to facilitate 2.0.x and 1.9.x 
existing in parallel, but a better idea would have been to create something 
like STABLE-19.





More information about the Snort-users mailing list