[Oisf-users] Suricata 4.0 rule fork

Jason Williams jwilliams at emergingthreats.net
Wed Nov 29 17:07:06 UTC 2017

On Tue, Nov 28, 2017 at 10:29 AM, Alan Amesbury <amesbury at oitsec.umn.edu>

> This message made its way to me via a coworker; my "digest" version
> apparently isn't due out for another half hour or so, so apologies for any
> misquoting.
> Francis Trudeau wrote:
> > The new Suricata 4.0 rules have been live on the production servers
> > since Thanksgiving.  Sorry for the notification delay, we wanted to
> > see what happened over the US holiday weekend, and everything looks
> > good.
> >
> > Please use the version number of your engine in the URL you use to
> > retrieve the set.  We changed how it works now, and some paths that
> > worked before will no longer work.  This was done to ensure people got
> > the right set for their engine.  Please check your sensors and make
> > sure everything is updating correctly.
> Are rulesets backwards compatible?  For example, can I run a ruleset
> intended for a v2.x version of Suricata on a 4.x version?  I have a pair of
> sensors that for ${REASON} haven't been able to upgrade.  The bulk are on a
> v3.x version, but I have some running 2.x.
As suricata has kept compatibility with old versions, and we still have a
Suricata 2.0 ruleset, at this time you can run an ET ruleset intended for a
v2.x version of Suricata on a 4.x version.

> Also, is there a definitive list of the ruleset version differences
> somewhere, e.g., which features require which engine version?  I looked at
>         http://suricata.readthedocs.io/en/latest/rules/index.html
Other than patch notes (
https://suricata-ids.org/2017/07/27/suricata-4-0-released/) not to my
knowledge. Many rule related improvements, such as http/tls buffers were
introduced in 4 that we (ET) couldn't pass up, hence the fork. Tons of
under the hood stuff that makes 4.0 much better.

> but didn't see any v3.x vs v4.x differences highlighted.  In contrast, I
> see notes specific to v1.x and v2.x in section "Appendix A -
> Buffers, list_id values, and Registration Order for Suricata 1.3.4"
> (although the table in is unreadable due to truncation).
> --
> Alan Amesbury
> University Information Security
> http://umn.edu/lookup/amesbury
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/470d13a2/attachment-0002.html>

More information about the Oisf-users mailing list