Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ubuntu 11.04 / 10 rulesset

From: Nick Moore <nmoore () sourcefire com>
Date: Mon, 31 Oct 2011 12:28:46 -0500
There is a really good guide on snort.org/docs that covers installing Snort
from source on Ubuntu with step by step instructions.

While apt-get is easy, installing from source isn't that hard.

On Mon, Oct 31, 2011 at 11:12 AM, Joel Esler <jesler () sourcefire com> wrote:


On Oct 31, 2011, at 11:44 AM, Mike Lococo wrote:

On 10/31/2011 09:42 AM, Marcin Nawrocki wrote:

Do I have to compile / create my own snort rules for the recent
versions of ubuntu or can I use the delivered rules for the
LTS-version? If I have to do it by myself, how to do this manually?


I recently filed an Ubuntu bug regarding exactly this issue:
https://bugs.launchpad.net/ubuntu/+source/snort/+bug/872582

In short, the version of Snort provided with Ubuntu is no longer
supported by Sourcefire and will not run recent VRT rules.  There is
nothing you can do to make it do so.  You can run whatever is in the
snort-rules package, but I don't believe that the sigs in that package
can't have been updated for at least a year.  It's more likely that
those are the sigs that were released with 2.8.5.2 in December of 2009,
and consequently would be missing detection for any threat that has
evolved or emerged since then (aka, almost everything that matters).


Actually, more incorrectly, the rules distributed WITH ubuntu are the
GPL'ed ones.  SID 3464 and below.  So, very old.



As an alternate, you can custom install pulledpork and use it to
download the Emerging-Threats Open ruleset which does still support the
2.8.5.x series.  That's a quality ruleset in my opinion and you could do
worse than to use it, but you can't run the VRT rules.


You can run the VRT rules, but we are adding keywords all the time that
will break compatibility, and 2.8.5.2 can't use any of the newer features
of the ruleset.  There's a reason we update Snort and add better detection
and magical keywords like "file_data".  I really which ET would stop
"supporting" that far back.  It's like enabling a drug addict to not quit.
 It hurts more than helps.


Another alternative is installing current snort from Source, which is
what most serious Snort users do.  There are guides out there on how to
do so, but it is many many times more work than apt-get install.



Yes! That.




------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org     www.immunet.com

------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook 
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps 
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple 
it is! http://p.sf.net/sfu/android-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: