[Snort-users] Updating Rules?
halljer at ...8709...
Thu Feb 12 13:55:09 EST 2004
I guess I'll update as soon as possible... I think this needs to be changed though:
-> If you are using 2.1.*, please use snortrules-snapshot-2_1 rules. <-
Because snortrules-snapshot-2_1 rules.tar.gz BREAKS 2.1.0. If I was using autoupdate with Oinkmaster and used that info I would have had problems due to the flowbits addition. Luckily I manually update my rules using Oinkmaster and inspect the results :).
>>> Andreas Östling <andreaso at ...236...> 2/12/2004 3:39:33 PM >>>
On Thu, 12 Feb 2004, Dusty Hall wrote:
> Which should I use for 2.1.0? Is 2.1.1 RC1 the "currently "shipping"
> snort"? Should I update?
Because of the alert mixup bug in Snort 2.1.0, I think it should be
avoided. Snort 2.1.1 RC1 works fine from what I can tell, so I think you
should use 2.1.1 RC1 and the 2_1 rules (or 2.0.6 and the 2_0 rules until
2.1.1 is released). Another reason to avoid 2.1.0 is that it doesn't have
the flowbits feature which the 2_1 rules currently requires (which I guess
they really shouldn't, but that's a known issue that has already been
mentioned on the lists, and it doesn't really matter as 2.1.1 RC1 is the
way to go anyway).
> Thank goodness I don't use oinkmaster to autoupdate...
Can you please explain what you mean by this?
Autoupdate is of course always a risk, especially if you for some
mysterious reason do it without using snort -T on the new rules before
loading them. I haven't had any problems with Oinkmaster or the update
Btw, for those who actually use Oinkmaster and Snort 2.1.1 and want to use
the 2_1 rules, a simple workaround to disable all the 'flowbits' rules
(temporary, until you use a Snort that can handle them) can be (assuming
Oinkmaster >= 0.9):
modifysid * "(.*\bflowbits:.*)" | "#$1"
Or simply "disablesid 2192,2350,2348,2349,2352", or use some modifysid
statement or sed command or whatever to remove only the 'flowbits' parts
if that is what you want.
More information about the Snort-users