<html><head></head><body><font size="3"><font face="Arial">So what does "</font></font><span class="mcnt">If running 4.0, that set will work, but you'll be missing out on the new features we're targeting." mean?</span><br><br><br><div><strong>
From:
</strong>
Jason Williams <jwilliams@emergingthreats.net>
<br>
<strong>
To:
</strong>
Leonard <ljacobs@netsecuris.com>
<br>
<strong>
Cc:
</strong>
Francis Trudeau <ftrudeau@emergingthreats.net>, "oisf-users@openinfosecfoundation.org" <oisf-users@openinfosecfoundation.org>, Alan Amesbury <amesbury@oitsec.umn.edu>
<br>
<strong>
Sent:
</strong>
11/29/2017 6:17 PM
<br>
<strong>
Subject:
</strong>
Re: [Oisf-users] Suricata 4.0 rule fork
<br><br><blockquote class="mori" style="margin:0 0 0 .8ex;border-left:1px solid #CCC;padding-left:1ex;"><div><br><div class="mcntgmail_extra"><br><div class="mcntgmail_quote">On Wed, Nov 29, 2017 at 5:59 PM, Leonard <span><<a href="mailto:ljacobs@netsecuris.com" target="_blank" title="Send email to ljacobs@netsecuris.com" class="mailto">ljacobs@netsecuris.com</a>></span> wrote:<br><blockquote class="mcntgmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div></div><div>So if Suricata 4.0.1 is installed and running, is it better to use the 2.x set or the 4.x set?</div><span class="mcnt"><div><br></div></span></div></blockquote><div><br></div><div>4.x</div><div> </div><blockquote class="mcntgmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><span class="mcnt"><div>On Nov 29, 2017, at 5:21 PM, Francis Trudeau <<a href="mailto:ftrudeau@emergingthreats.net" target="_blank" title="Send email to ftrudeau@emergingthreats.net" class="mailto">ftrudeau@emergingthreats.net</a>> wrote:<br><br></div></span><blockquote type="cite"><div><span class="mcnt"><div>No more 1.x. It will throw errors if you try to use the 2.x set.<div><br></div><div>Each set covers versions above it. 2.x set will run in anything above 2.0. If running 4.0, that set will work, but you'll be missing out on the new features we're targeting.</div><div><br></div><div>-FT</div><div><br></div><div><br></div><div><br></div><div><br></div></div></span><div class="mcntgmail_extra"><br><div class="mcntgmail_quote"><span class="mcnt">On Wed, Nov 29, 2017 at 11:11 AM, Charles Devoe <span><<a href="mailto:Charles.Devoe@cisecurity.org" target="_blank" title="Send email to Charles.Devoe@cisecurity.org" class="mailto">Charles.Devoe@cisecurity.org</a>></span> wrote:<br></span><blockquote class="mcntgmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>
<div class="mcntm_-3425788003415063060m_6071537731131842831WordSection1"><span class="mcnt">
<p class="mcntMsoNormal"><span style="font-size: 11pt; font-family: "Arial", sans-serif;">So if I understand this correctly. There are Emerging Threats rules for 1.X, 2.X, and 4.X. Are there no 3.X rulesets?
<u></u><u></u></span></p>
<p class="mcntMsoNormal"><span style="font-size: 11pt; font-family: "Arial", sans-serif;"><u></u> <u></u></span></p>
</span><div><span class="mcnt">
<p class="mcntMsoNormal"><b>Charles DeVoe Jr.</b><u></u><u></u></p>
<p class="mcntMsoNormal">Manager of Engineering<u></u><u></u></p>
<p class="mcntMsoNormal">Multi-State Information Sharing and Analysis Center (MS-ISAC) <u></u><u></u></p>
<p class="mcntMsoNormal">31 Tech Valley Drive<u></u><u></u></p>
<p class="mcntMsoNormal">East Greenbush, NY 12061<u></u><u></u></p>
<p class="mcntMsoNormal"> <u></u><u></u></p>
<p class="mcntMsoNormal"><a href="mailto:charles.devoe@cisecurity.org" target="_blank" title="Send email to charles.devoe@cisecurity.org" class="mailto">charles.devoe@cisecurity.org</a><u></u><u></u></p>
<p class="mcntMsoNormal"><a href="tel:(518)%20266-3494" target="_blank">(518) 266-3494</a><u></u><u></u></p>
<p class="mcntMsoNormal">7x24 Security Operations Center<u></u><u></u></p>
<p class="mcntMsoNormal"><a href="mailto:SOC@cisecurity.org" target="_blank" title="Send email to SOC@cisecurity.org" class="mailto"><span style="color: rgb(5, 99, 193);">SOC@cisecurity.org</span></a> - <a href="tel:(866)%20787-4722" target="_blank">1-866-787-4722</a><u></u><u></u></p>
<p class="mcntMsoNormal"><u></u> <u></u></p>
<p class="mcntMsoNormal"><u></u> <u></u></p>
<p class="mcntMsoNormal"><img style="width: 2.4687in; height: 0.5729in;" id="mcntm_-3425788003415063060m_6071537731131842831Picture_x0020_1" src="cid:image001.png@01D36913.80368C70" alt="cid:image001.png@01D2F965.2E3564F0" width="237" height="55" border="0"><u></u><u></u></p>
</span><p class="mcntMsoNormal"> <a href="https://www.facebook.com/CenterforIntSec" target="_blank"><span style="color: windowtext; text-decoration: none;"><image002.png></span></a> <a href="https://twitter.com/CISecurity" target="_blank"><span style="color: windowtext; text-decoration: none;"><img style="width: 0.3333in; height: 0.3437in;" id="mcntm_-3425788003415063060m_6071537731131842831Picture_x0020_3" src="cid:image003.png@01D36913.80368C70" alt="id:image003.png@01D2926D.D9CF2E90" width="32" height="33" border="0"></span></a> <a href="https://www.youtube.com/user/TheCISecurity" target="_blank"><span style="color: windowtext; text-decoration: none;"><image004.png></span></a> <a href="https://www.linkedin.com/company/the-center-for-internet-security" target="_blank"><span style="color: windowtext; text-decoration: none;"><img style="width: 0.3333in; height: 0.3437in;" id="mcntm_-3425788003415063060m_6071537731131842831Picture_x0020_5" src="cid:image005.png@01D36913.80368C70" alt="id:image005.png@01D2926D.D9CF2E90" width="32" height="33" border="0"></span></a><u></u><u></u></p>
</div><div><div class="mcnth5">
<p class="mcntMsoNormal"><span style="font-size: 11pt; font-family: "Arial", sans-serif;"><u></u> <u></u></span></p>
<div>
<div style="border-color: rgb(225, 225, 225) currentcolor currentcolor; border-style: solid none none; border-width: 1pt medium medium; border-image: none 100% / 1 / 0 stretch; -moz-border-top-colors: none; -moz-border-left-colors: none; -moz-border-bottom-colors: none; -moz-border-right-colors: none; padding: 3pt 0in 0in;">
<p class="mcntMsoNormal"><b><span style="font-size: 11pt; font-family: "Calibri", sans-serif;">From:</span></b><span style="font-size: 11pt; font-family: "Calibri", sans-serif;"> Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank" title="Send email to oisf-users-bounces@lists.openinfosecfoundation.org" class="mailto">oisf-users-bounces@lists.openinfosecfoundation.org</a>]
<b>On Behalf Of </b>Jason Williams<br>
<b>Sent:</b> Wednesday, November 29, 2017 12:07 PM<br>
<b>To:</b> Alan Amesbury <<a href="mailto:amesbury@oitsec.umn.edu" target="_blank" title="Send email to amesbury@oitsec.umn.edu" class="mailto">amesbury@oitsec.umn.edu</a>><br>
<b>Cc:</b> <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" title="Send email to oisf-users@openinfosecfoundation.org" class="mailto">oisf-users@openinfosecfoundation.org</a><br>
<b>Subject:</b> Re: [Oisf-users] Suricata 4.0 rule fork<u></u><u></u></span></p>
</div>
</div><div><div class="mcntm_-3425788003415063060h5">
<p class="mcntMsoNormal"><u></u> <u></u></p>
<p class="mcntMsoNormal" style="margin-bottom: 12pt;"><br>
<br>
<u></u><u></u></p>
<div>
<div>
<div>
<p class="mcntMsoNormal">On Tue, Nov 28, 2017 at 10:29 AM, Alan Amesbury <<a href="mailto:amesbury@oitsec.umn.edu" target="_blank" title="Send email to amesbury@oitsec.umn.edu" class="mailto">amesbury@oitsec.umn.edu</a>> wrote:<u></u><u></u></p>
<blockquote style="border-color: currentcolor currentcolor currentcolor rgb(204, 204, 204); border-style: none none none solid; border-width: medium medium medium 1pt; border-image: none 100% / 1 / 0 stretch; -moz-border-top-colors: none; -moz-border-left-colors: none; -moz-border-bottom-colors: none; -moz-border-right-colors: none; padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;">
<p class="mcntMsoNormal" style="margin-bottom: 12pt;">This message made its way to me via a coworker; my "digest" version apparently isn't due out for another half hour or so, so apologies for any misquoting.<br>
<br>
Francis Trudeau wrote:<br>
<br>
> The new Suricata 4.0 rules have been live on the production servers<br>
> since Thanksgiving. Sorry for the notification delay, we wanted to<br>
> see what happened over the US holiday weekend, and everything looks<br>
> good.<br>
><br>
> Please use the version number of your engine in the URL you use to<br>
> retrieve the set. We changed how it works now, and some paths that<br>
> worked before will no longer work. This was done to ensure people got<br>
> the right set for their engine. Please check your sensors and make<br>
> sure everything is updating correctly.<br>
<br>
Are rulesets backwards compatible? For example, can I run a ruleset intended for a v2.x version of Suricata on a 4.x version? I have a pair of sensors that for ${REASON} haven't been able to upgrade. The bulk are on a v3.x version, but I have some running
2.x.<u></u><u></u></p>
</blockquote>
<div>
<p class="mcntMsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="mcntMsoNormal">As suricata has kept compatibility with old versions, and we still have a Suricata 2.0 ruleset, at this time you can run an ET ruleset intended for a v2.x version of Suricata on a 4.x version.<u></u><u></u></p>
</div>
<div>
<p class="mcntMsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border-color: currentcolor currentcolor currentcolor rgb(204, 204, 204); border-style: none none none solid; border-width: medium medium medium 1pt; border-image: none 100% / 1 / 0 stretch; -moz-border-top-colors: none; -moz-border-left-colors: none; -moz-border-bottom-colors: none; -moz-border-right-colors: none; padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;">
<p class="mcntMsoNormal" style="margin-bottom: 12pt;">Also, is there a definitive list of the ruleset version differences somewhere, e.g., which features require which engine version? I looked at<br>
<br>
<a href="http://suricata.readthedocs.io/en/latest/rules/index.html" target="_blank">
http://suricata.readthedocs.io/en/latest/rules/index.html</a><br>
<br>
<u></u><u></u></p>
</blockquote>
<div>
<p class="mcntMsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="mcntMsoNormal">Other than patch notes (<a href="https://suricata-ids.org/2017/07/27/suricata-4-0-released/" target="_blank">https://suricata-ids.org/2017/07/27/suricata-4-0-released/</a>) not to my knowledge. Many rule related improvements, such as http/tls
buffers were introduced in 4 that we (ET) couldn't pass up, hence the fork. Tons of under the hood stuff that makes 4.0 much better. <u></u><u></u></p>
</div>
<div>
<p class="mcntMsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border-color: currentcolor currentcolor currentcolor rgb(204, 204, 204); border-style: none none none solid; border-width: medium medium medium 1pt; border-image: none 100% / 1 / 0 stretch; -moz-border-top-colors: none; -moz-border-left-colors: none; -moz-border-bottom-colors: none; -moz-border-right-colors: none; padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;">
<p class="mcntMsoNormal">but didn't see any v3.x vs v4.x differences highlighted. In contrast, I see notes specific to v1.x and v2.x in section 4.5.2.1.1.1 "Appendix A - Buffers, list_id values, and Registration Order for Suricata 1.3.4" (although the table in
4.5.2.1.1.2 is unreadable due to truncation).<br>
<span style="color: rgb(136, 136, 136);"><br>
<br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">--</span><br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">Alan Amesbury</span><br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">University Information Security</span><br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb"><a href="http://umn.edu/lookup/amesbury" target="_blank">http://umn.edu/lookup/amesbury</a></span><br>
<br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">_______________________________________________</span><br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" title="Send email to oisf-users@openinfosecfoundation.org" class="mailto">
oisf-users@openinfosecfoundation.org</a></span><br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">Site: <a href="http://suricata-ids.org" target="_blank">
http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">
http://suricata-ids.org/support/</a></span><br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br>
<br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">Conference: <a href="https://suricon.net" target="_blank">
https://suricon.net</a></span><br>
<span class="mcntm_-3425788003415063060m_6071537731131842831gmail-hoenzb">Trainings: <a href="https://suricata-ids.org/training/" target="_blank">
https://suricata-ids.org/training/</a></span></span><u></u><u></u></p>
</blockquote>
</div>
<p class="mcntMsoNormal"><u></u> <u></u></p>
</div>
</div>
</div></div><p class="mcntMsoNormal"><br>
..... <u></u><u></u></p>
</div></div></div><div><div class="mcnth5">
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br><br>. . . . .</div></div></div><div><div class="mcnth5">
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" title="Send email to oisf-users@openinfosecfoundation.org" class="mailto">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a><br></div></div></blockquote></div><br></div>
</div></blockquote><div><div class="mcnth5"><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" title="Send email to oisf-users@openinfosecfoundation.org" class="mailto">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a></span></div></blockquote></div></div></div><br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" title="Send email to oisf-users@openinfosecfoundation.org" class="mailto" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a><br></blockquote></div><br></div></div>
</blockquote></div></body></html>