<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Nov 28, 2017 at 10:29 AM, Alan Amesbury <span dir="ltr"><<a href="mailto:amesbury@oitsec.umn.edu" target="_blank">amesbury@oitsec.umn.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">This message made its way to me via a coworker; my "digest" version apparently isn't due out for another half hour or so, so apologies for any misquoting.<br>
<br>
Francis Trudeau wrote:<br>
<br>
> The new Suricata 4.0 rules have been live on the production servers<br>
> since Thanksgiving. Sorry for the notification delay, we wanted to<br>
> see what happened over the US holiday weekend, and everything looks<br>
> good.<br>
><br>
> Please use the version number of your engine in the URL you use to<br>
> retrieve the set. We changed how it works now, and some paths that<br>
> worked before will no longer work. This was done to ensure people got<br>
> the right set for their engine. Please check your sensors and make<br>
> sure everything is updating correctly.<br>
<br>
Are rulesets backwards compatible? For example, can I run a ruleset intended for a v2.x version of Suricata on a 4.x version? I have a pair of sensors that for ${REASON} haven't been able to upgrade. The bulk are on a v3.x version, but I have some running 2.x.<br>
<br></blockquote><div><br></div><div>As suricata has kept compatibility with old versions, and we still have a Suricata 2.0 ruleset, at this time you can run an ET ruleset intended for a v2.x version of Suricata on a 4.x version.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Also, is there a definitive list of the ruleset version differences somewhere, e.g., which features require which engine version? I looked at<br>
<br>
<a href="http://suricata.readthedocs.io/en/latest/rules/index.html" rel="noreferrer" target="_blank">http://suricata.readthedocs.<wbr>io/en/latest/rules/index.html</a><br>
<br>
<br></blockquote><div><br></div><div>Other than patch notes (<a href="https://suricata-ids.org/2017/07/27/suricata-4-0-released/">https://suricata-ids.org/2017/07/27/suricata-4-0-released/</a>) not to my knowledge. Many rule related improvements, such as http/tls buffers were introduced in 4 that we (ET) couldn't pass up, hence the fork. Tons of under the hood stuff that makes 4.0 much better. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
but didn't see any v3.x vs v4.x differences highlighted. In contrast, I see notes specific to v1.x and v2.x in section 4.5.2.1.1.1 "Appendix A - Buffers, list_id values, and Registration Order for Suricata 1.3.4" (although the table in 4.5.2.1.1.2 is unreadable due to truncation).<br>
<span class="gmail-HOEnZb"><font color="#888888"><br>
<br>
--<br>
Alan Amesbury<br>
University Information Security<br>
<a href="http://umn.edu/lookup/amesbury" rel="noreferrer" target="_blank">http://umn.edu/lookup/amesbury</a><br>
<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a></font></span></blockquote></div><br></div></div>