[Snort-users] Snort 2.8.4 Now Available

Matt Watchinski mwatchinski at ...1935...
Wed Apr 8 17:29:18 EDT 2009


Answers inline

On Wed, Apr 8, 2009 at 4:41 PM, Seth Art <sethsec at ...11827...> wrote:
> On Wed, Apr 8, 2009 at 5:38 PM, Matt Watchinski
> <mwatchinski at ...1935...> wrote:
>
>> Given all that, here is exactly what is going to happen hopefully today.
>>
>> 1. A new set of rule packages will be released.  If you are a
>> subscriber and can get rules immediately the following will happen.
>>
>> The 2.7 rule packages will contain all the OLD NETBIOS rules
>> The 2.8 rule packages will contain all the NEW NETBIOS rules
>> The CURRENT rule packages will contain all the NEW NETBIOS rules
>
> So to be clear, the snortrules-snapshot-2.8_s.tar.gz on snort.org now
> (md5sum: 6abf9bf635870cd68335c5d2a599a01e) does NOT have the the new
> netbios rules YET... right?
>
> wc -l netbios.rules
> 5828 netbios.rules
>

Correct not up yet.

> 1) How will we know when this new pack IS released?
>

Like you do with any other time, the md5 will change and we post a
release message here.

> 2) Will the NEW netbios rules use the same name -- netbios.rules? Or
> will I have to modify my snort.conf include statements
> ie: remove
> include $RULE_PATH/netbios.rules
> and add
> include $RULE_PATH/netbios-for-dce2.rules
>

Same name.

> 3) Is the new dcerpc2 preproc backwards compatible?  Can it read the
> old netbios rules? I guess if the answer to this question is yes, I
> have the answer to my next question.
>

dcerpc2 is backwards compatible.  The old rules will still work with it.

> 4) If the 2.8_s with the NEW rules have not been released, and if the
> new preproc can not read the old netbios rules, doesn't that mean I
> can not push out the new binary and changes to snort.conf (enable
> dcerpc2 preproc) to my sensors yet?
>

Nope push, away.  The old rules work just fine with the new dcerpc preprocessor.


> Thanks,
>
> Seth
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list