Re: [Snort-sigs] old rules with newer snort

There is another potential "gotcha" to consider if you're attempting
to take an older rule set and make it work with Snort 2.8.x.

IF you have a lot of pass rules, you will need to be sure that each
pass rule is assigned a unique sig_sid..... Historically, pass rules
didn't require sig_sids, and they also didn't detect duplication in
use of sig_sids.

Historically, we had written numerous pass rules for situations of
detection rules triggering off benign traffic. And, to address, we
would write highly specific pass rules where the rule option portion
would utilize the same sig_sid as the detection rule (so that we could
easily reference which detection rule the pass rule was tuning). This
workflow broke with Snort 2.8.

I understand the need to be efficient with reuse of code and I suspect
this is where/why the enforcement of unique sig_sids came into play
with Snort 2.8. But, it did produce hurdle for upgrading to Snort 2.8,
and something to consider if you have large numbers of pass rules that
currently don't have sig_sids or they aren't all unique.

Cheers, John

On Wed, Mar 5, 2008 at 8:37 AM, Sven Wurth <swurth@astaro.com> wrote:
> We like to use older rules with a newer snort only for a short time,
>  because of a migration.
>  Thanks for your quick response!
>  Kind regards
>  Sven
>
>  ________________________________________
>  Von: Joel Esler [mailto:joel.esler@sourcefire.com]
>  Gesendet: Mittwoch, 5. MÃrz 2008 17:30
>  An: Sven Wurth
>  Cc: Snort-sigs@lists.sourceforge.net
>  Betreff: Re: [Snort-sigs] old rules with newer snort
>
>
>
>  Yes, You can use older rules with a newer Snort, but not newer rules with an 
> older Snort.
>
>  Why would you want to use older rules?  Can't you use the current ones?
>
>  Joel
>
>  On Mar 5, 2008, at 11:11 AM, Sven Wurth wrote:
>
>
>  Hi Snort-sigs
>  Does anybody know if it's possible to use old snort rules with a newer snort?
>  Example: vrt-rules in Version 2.6 and a snort 2.8
>
>  Thanks
>  Kind regards
>  Sven
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
>  Snort-sigs mailing list
>  Snort-sigs@lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>  --
>  Joel Esler ï joel.esler@sourcefire.com
>
>
>
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>  _______________________________________________
>  Snort-sigs mailing list
>  Snort-sigs@lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs