[Oisf-users] Suricata 4.0 rule fork

Jason Williams jwilliams at emergingthreats.net
Thu Nov 30 00:17:35 UTC 2017


On Wed, Nov 29, 2017 at 5:59 PM, Leonard <ljacobs at netsecuris.com> wrote:

> So if Suricata 4.0.1 is installed and running, is it better to use the 2.x
> set or the 4.x set?
>
>
4.x


> On Nov 29, 2017, at 5:21 PM, Francis Trudeau <ftrudeau at emergingthreats.net>
> wrote:
>
> No more 1.x.  It will throw errors if you try to use the 2.x set.
>
> Each set covers versions above it.  2.x set will run in anything above
> 2.0.  If running 4.0, that set will work, but you'll be missing out on the
> new features we're targeting.
>
> -FT
>
>
>
>
>
> On Wed, Nov 29, 2017 at 11:11 AM, Charles Devoe <
> Charles.Devoe at cisecurity.org> wrote:
>
>> So if I understand this correctly.  There are Emerging Threats rules for
>> 1.X, 2.X, and 4.X.  Are there no 3.X rulesets?
>>
>>
>>
>> *Charles DeVoe Jr.*
>>
>> Manager of Engineering
>>
>> Multi-State Information Sharing and Analysis Center
>> (MS-ISAC)
>>
>> 31 Tech Valley Drive
>>
>> East Greenbush, NY 12061
>>
>>
>>
>> charles.devoe at cisecurity.org
>>
>> (518) 266-3494
>>
>> 7x24 Security Operations Center
>>
>> SOC at cisecurity.org - 1-866-787-4722 <(866)%20787-4722>
>>
>>
>>
>>
>>
>> [image: cid:image001.png at 01D2F965.2E3564F0]
>>
>>        <image002.png> <https://www.facebook.com/CenterforIntSec>    [image:
>> id:image003.png at 01D2926D.D9CF2E90] <https://twitter.com/CISecurity>   <
>> image004.png> <https://www.youtube.com/user/TheCISecurity>    [image:
>> id:image005.png at 01D2926D.D9CF2E90]
>> <https://www.linkedin.com/company/the-center-for-internet-security>
>>
>>
>>
>> *From:* Oisf-users [mailto:oisf-users-bounces at lis
>> ts.openinfosecfoundation.org] *On Behalf Of *Jason Williams
>> *Sent:* Wednesday, November 29, 2017 12:07 PM
>> *To:* Alan Amesbury <amesbury at oitsec.umn.edu>
>> *Cc:* oisf-users at openinfosecfoundation.org
>> *Subject:* Re: [Oisf-users] Suricata 4.0 rule fork
>>
>>
>>
>>
>>
>> On Tue, Nov 28, 2017 at 10:29 AM, Alan Amesbury <amesbury at oitsec.umn.edu>
>> wrote:
>>
>> This message made its way to me via a coworker; my "digest" version
>> apparently isn't due out for another half hour or so, so apologies for any
>> misquoting.
>>
>> Francis Trudeau wrote:
>>
>> > The new Suricata 4.0 rules have been live on the production servers
>> > since Thanksgiving.  Sorry for the notification delay, we wanted to
>> > see what happened over the US holiday weekend, and everything looks
>> > good.
>> >
>> > Please use the version number of your engine in the URL you use to
>> > retrieve the set.  We changed how it works now, and some paths that
>> > worked before will no longer work.  This was done to ensure people got
>> > the right set for their engine.  Please check your sensors and make
>> > sure everything is updating correctly.
>>
>> Are rulesets backwards compatible?  For example, can I run a ruleset
>> intended for a v2.x version of Suricata on a 4.x version?  I have a pair of
>> sensors that for ${REASON} haven't been able to upgrade.  The bulk are on a
>> v3.x version, but I have some running 2.x.
>>
>>
>>
>> As suricata has kept compatibility with old versions, and we still have a
>> Suricata 2.0 ruleset, at this time you can run an ET ruleset intended for a
>> v2.x version of Suricata on a 4.x version.
>>
>>
>>
>> Also, is there a definitive list of the ruleset version differences
>> somewhere, e.g., which features require which engine version?  I looked at
>>
>>         http://suricata.readthedocs.io/en/latest/rules/index.html
>>
>>
>>
>> Other than patch notes (https://suricata-ids.org/2017
>> /07/27/suricata-4-0-released/) not to my knowledge. Many rule related
>> improvements, such as http/tls buffers were introduced in 4 that we (ET)
>> couldn't pass up, hence the fork. Tons of under the hood stuff that makes
>> 4.0 much better.
>>
>>
>>
>> but didn't see any v3.x vs v4.x differences highlighted.  In contrast, I
>> see notes specific to v1.x and v2.x in section 4.5.2.1.1.1 "Appendix A -
>> Buffers, list_id values, and Registration Order for Suricata 1.3.4"
>> (although the table in 4.5.2.1.1.2 is unreadable due to truncation).
>>
>>
>> --
>> Alan Amesbury
>> University Information Security
>> http://umn.edu/lookup/amesbury
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>>
>>
>>
>> .....
>> This message and attachments may contain confidential information. If it
>> appears that this message was sent to you by mistake, any retention,
>> dissemination, distribution or copying of this message and attachments is
>> strictly prohibited. Please notify the sender immediately and permanently
>> delete the message and any attachments.
>>
>> . . . . .
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/1133f160/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14323 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/1133f160/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2176 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/1133f160/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2058 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/1133f160/attachment-0008.png>


More information about the Oisf-users mailing list