Snort mailing list archives
Re: Snort 2.8.4 Now Available
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Wed, 8 Apr 2009 17:29:18 -0400
Answers inline On Wed, Apr 8, 2009 at 4:41 PM, Seth Art <sethsec () gmail com> wrote:
On Wed, Apr 8, 2009 at 5:38 PM, Matt Watchinski <mwatchinski () sourcefire com> wrote:Given all that, here is exactly what is going to happen hopefully today. 1. A new set of rule packages will be released. If you are a subscriber and can get rules immediately the following will happen. The 2.7 rule packages will contain all the OLD NETBIOS rules The 2.8 rule packages will contain all the NEW NETBIOS rules The CURRENT rule packages will contain all the NEW NETBIOS rulesSo to be clear, the snortrules-snapshot-2.8_s.tar.gz on snort.org now (md5sum: 6abf9bf635870cd68335c5d2a599a01e) does NOT have the the new netbios rules YET... right? wc -l netbios.rules 5828 netbios.rules
Correct not up yet.
1) How will we know when this new pack IS released?
Like you do with any other time, the md5 will change and we post a release message here.
2) Will the NEW netbios rules use the same name -- netbios.rules? Or will I have to modify my snort.conf include statements ie: remove include $RULE_PATH/netbios.rules and add include $RULE_PATH/netbios-for-dce2.rules
Same name.
3) Is the new dcerpc2 preproc backwards compatible? Can it read the old netbios rules? I guess if the answer to this question is yes, I have the answer to my next question.
dcerpc2 is backwards compatible. The old rules will still work with it.
4) If the 2.8_s with the NEW rules have not been released, and if the new preproc can not read the old netbios rules, doesn't that mean I can not push out the new binary and changes to snort.conf (enable dcerpc2 preproc) to my sensors yet?
Nope push, away. The old rules work just fine with the new dcerpc preprocessor.
Thanks, Seth
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.8.4 Now Available Snort Releases (Apr 07)
- Re: Snort 2.8.4 Now Available Jeff Dell (Apr 08)
- Re: Snort 2.8.4 Now Available John Duksta (Apr 08)
- Re: Snort 2.8.4 Now Available Nigel Houghton (Apr 08)
- Re: Snort 2.8.4 Now Available matt donovan (Apr 08)
- Re: Snort 2.8.4 Now Available Matt Watchinski (Apr 08)
- Re: Snort 2.8.4 Now Available Seth Art (Apr 08)
- Re: Snort 2.8.4 Now Available Matt Watchinski (Apr 08)
- Re: Snort 2.8.4 Now Available John Duksta (Apr 08)
- Re: Snort 2.8.4 Now Available Jeff Dell (Apr 08)