[Oisf-users] Suricata 4.0 rule fork
Alan Amesbury
amesbury at oitsec.umn.edu
Tue Nov 28 16:29:58 UTC 2017
This message made its way to me via a coworker; my "digest" version apparently isn't due out for another half hour or so, so apologies for any misquoting.
Francis Trudeau wrote:
> The new Suricata 4.0 rules have been live on the production servers
> since Thanksgiving. Sorry for the notification delay, we wanted to
> see what happened over the US holiday weekend, and everything looks
> good.
>
> Please use the version number of your engine in the URL you use to
> retrieve the set. We changed how it works now, and some paths that
> worked before will no longer work. This was done to ensure people got
> the right set for their engine. Please check your sensors and make
> sure everything is updating correctly.
Are rulesets backwards compatible? For example, can I run a ruleset intended for a v2.x version of Suricata on a 4.x version? I have a pair of sensors that for ${REASON} haven't been able to upgrade. The bulk are on a v3.x version, but I have some running 2.x.
Also, is there a definitive list of the ruleset version differences somewhere, e.g., which features require which engine version? I looked at
http://suricata.readthedocs.io/en/latest/rules/index.html
but didn't see any v3.x vs v4.x differences highlighted. In contrast, I see notes specific to v1.x and v2.x in section 4.5.2.1.1.1 "Appendix A - Buffers, list_id values, and Registration Order for Suricata 1.3.4" (although the table in 4.5.2.1.1.2 is unreadable due to truncation).
--
Alan Amesbury
University Information Security
http://umn.edu/lookup/amesbury
More information about the Oisf-users
mailing list