[Oisf-users] Suricata 4.0 rule fork

Wed Nov 29 18:13:49 UTC 2017

On Wed, Nov 29, 2017 at 12:11 PM, Charles Devoe <
Charles.Devoe at cisecurity.org> wrote:

> So if I understand this correctly.  There are Emerging Threats rules for
> 1.X, 2.X, and 4.X.  Are there no 3.X rulesets?
>
>
>

2.x works for 3.x

> *Charles DeVoe Jr.*
>
> Manager of Engineering
>
> Multi-State Information Sharing and Analysis Center
> (MS-ISAC)
>
> 31 Tech Valley Drive
> <https://maps.google.com/?q=31+Tech+Valley+Drive%0D+East+Greenbush,+NY+12061&entry=gmail&source=g>
>
> East Greenbush, NY 12061
> <https://maps.google.com/?q=31+Tech+Valley+Drive%0D+East+Greenbush,+NY+12061&entry=gmail&source=g>
>
>
>
> charles.devoe at cisecurity.org
>
> (518) 266-3494
>
> 7x24 Security Operations Center
>
> SOC at cisecurity.org - 1-866-787-4722 <(866)%20787-4722>
>
>
>
>
>
> [image: cid:image001.png at 01D2F965.2E3564F0]
>
>        [image: id:image002.png at 01D2926D.D9CF2E90]
> <https://www.facebook.com/CenterforIntSec>    [image:
> id:image003.png at 01D2926D.D9CF2E90] <https://twitter.com/CISecurity>   [image:
> id:image004.png at 01D2926D.D9CF2E90]
> <https://www.youtube.com/user/TheCISecurity>    [image:
> id:image005.png at 01D2926D.D9CF2E90]
> <https://www.linkedin.com/company/the-center-for-internet-security>
>
>
>
> *From:* Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.
> org] *On Behalf Of *Jason Williams
> *Sent:* Wednesday, November 29, 2017 12:07 PM
> *To:* Alan Amesbury <amesbury at oitsec.umn.edu>
> *Cc:* oisf-users at openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] Suricata 4.0 rule fork
>
>
>
>
>
> On Tue, Nov 28, 2017 at 10:29 AM, Alan Amesbury <amesbury at oitsec.umn.edu>
> wrote:
>
> This message made its way to me via a coworker; my "digest" version
> apparently isn't due out for another half hour or so, so apologies for any
> misquoting.
>
> Francis Trudeau wrote:
>
> > The new Suricata 4.0 rules have been live on the production servers
> > since Thanksgiving.  Sorry for the notification delay, we wanted to
> > see what happened over the US holiday weekend, and everything looks
> > good.
> >
> > Please use the version number of your engine in the URL you use to
> > retrieve the set.  We changed how it works now, and some paths that
> > worked before will no longer work.  This was done to ensure people got
> > the right set for their engine.  Please check your sensors and make
> > sure everything is updating correctly.
>
> Are rulesets backwards compatible?  For example, can I run a ruleset
> intended for a v2.x version of Suricata on a 4.x version?  I have a pair of
> sensors that for ${REASON} haven't been able to upgrade.  The bulk are on a
> v3.x version, but I have some running 2.x.
>
>
>
> As suricata has kept compatibility with old versions, and we still have a
> Suricata 2.0 ruleset, at this time you can run an ET ruleset intended for a
> v2.x version of Suricata on a 4.x version.
>
>
>
> Also, is there a definitive list of the ruleset version differences
> somewhere, e.g., which features require which engine version?  I looked at
>
>         http://suricata.readthedocs.io/en/latest/rules/index.html
>
>
>
> Other than patch notes (https://suricata-ids.org/2017/07/27/suricata-4-0-
> released/) not to my knowledge. Many rule related improvements, such as
> http/tls buffers were introduced in 4 that we (ET) couldn't pass up, hence
> the fork. Tons of under the hood stuff that makes 4.0 much better.
>
>
>
> but didn't see any v3.x vs v4.x differences highlighted.  In contrast, I
> see notes specific to v1.x and v2.x in section 4.5.2.1.1.1 "Appendix A -
> Buffers, list_id values, and Registration Order for Suricata 1.3.4"
> (although the table in 4.5.2.1.1.2 is unreadable due to truncation).
>
>
> --
> Alan Amesbury
> University Information Security
> http://umn.edu/lookup/amesbury
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
>
> .....
> This message and attachments may contain confidential information. If it
> appears that this message was sent to you by mistake, any retention,
> dissemination, distribution or copying of this message and attachments is
> strictly prohibited. Please notify the sender immediately and permanently
> delete the message and any attachments.
>
> . . . . .
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/a867e384/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2176 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/a867e384/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14323 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/a867e384/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1892 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/a867e384/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2058 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/a867e384/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1889 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/a867e384/attachment-0014.png>