[Oisf-users] Suricata 4.0 rule fork

Leonard Jacobs ljacobs at netsecuris.com
Thu Nov 30 00:19:08 UTC 2017 

So what does "If running 4.0, that set will work, but you'll be missing out on the new features we're targeting." mean?



 From:   Jason Williams <jwilliams at emergingthreats.net> 
 To:   Leonard <ljacobs at netsecuris.com> 
 Cc:   Francis Trudeau <ftrudeau at emergingthreats.net>, "oisf-users at openinfosecfoundation.org" <oisf-users at openinfosecfoundation.org>, Alan Amesbury <amesbury at oitsec.umn.edu> 
 Sent:   11/29/2017 6:17 PM 
 Subject:   Re: [Oisf-users] Suricata 4.0 rule fork 






On Wed, Nov 29, 2017 at 5:59 PM, Leonard <ljacobs at netsecuris.com> wrote:



So if Suricata 4.0.1 is installed and running, is it better to use the 2.x set or the 4.x set?




4.x
 

On Nov 29, 2017, at 5:21 PM, Francis Trudeau <ftrudeau at emergingthreats.net> wrote:



No more 1.x.  It will throw errors if you try to use the 2.x set.


Each set covers versions above it.  2.x set will run in anything above 2.0.  If running 4.0, that set will work, but you'll be missing out on the new features we're targeting.


-FT










On Wed, Nov 29, 2017 at 11:11 AM, Charles Devoe <Charles.Devoe at cisecurity.org> wrote:
 
 
 
So if I understand this correctly.  There are Emerging Threats rules for 1.X, 2.X, and 4.X.  Are there no 3.X rulesets?  
  
 
Charles DeVoe Jr. 
Manager of Engineering 
Multi-State Information Sharing and Analysis Center (MS-ISAC)                    
31 Tech Valley Drive 
East Greenbush, NY 12061 
  
charles.devoe at cisecurity.org 
(518) 266-3494 
7x24 Security Operations Center 
SOC at cisecurity.org - 1-866-787-4722 
  
  
 
       <image002.png>       <image004.png>     

 
  
 
 
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Jason Williams
 Sent: Wednesday, November 29, 2017 12:07 PM
 To: Alan Amesbury <amesbury at oitsec.umn.edu>
 Cc: oisf-users at openinfosecfoundation.org
 Subject: Re: [Oisf-users] Suricata 4.0 rule fork 

 
  

 
 
 
 
 
On Tue, Nov 28, 2017 at 10:29 AM, Alan Amesbury <amesbury at oitsec.umn.edu> wrote: 
This message made its way to me via a coworker; my "digest" version apparently isn't due out for another half hour or so, so apologies for any misquoting.
 
 Francis Trudeau wrote:
 
 > The new Suricata 4.0 rules have been live on the production servers
 > since Thanksgiving.  Sorry for the notification delay, we wanted to
 > see what happened over the US holiday weekend, and everything looks
 > good.
 >
 > Please use the version number of your engine in the URL you use to
 > retrieve the set.  We changed how it works now, and some paths that
 > worked before will no longer work.  This was done to ensure people got
 > the right set for their engine.  Please check your sensors and make
 > sure everything is updating correctly.
 
 Are rulesets backwards compatible?  For example, can I run a ruleset intended for a v2.x version of Suricata on a 4.x version?  I have a pair of sensors that for ${REASON} haven't been able to upgrade.  The bulk are on a v3.x version, but I have some running  2.x. 
 
  
 
As suricata has kept compatibility with old versions, and we still have a Suricata 2.0 ruleset, at this time you can run an ET ruleset intended for a v2.x version of Suricata on a 4.x version. 
 
  
Also, is there a definitive list of the ruleset version differences somewhere, e.g., which features require which engine version?  I looked at
 
          http://suricata.readthedocs.io/en/latest/rules/index.html
 
 
 
  
 
Other than patch notes (https://suricata-ids.org/2017/07/27/suricata-4-0-released/) not to my knowledge. Many rule related improvements, such as http/tls  buffers were introduced in 4 that we (ET) couldn't pass up, hence the fork. Tons of under the hood stuff that makes 4.0 much better.  
 
  
but didn't see any v3.x vs v4.x differences highlighted.  In contrast, I see notes specific to v1.x and v2.x in section 4.5.2.1.1.1 "Appendix A - Buffers, list_id values, and Registration Order for Suricata 1.3.4" (although the table in  4.5.2.1.1.2 is unreadable due to truncation).
 
 
 --
 Alan Amesbury
 University Information Security
 http://umn.edu/lookup/amesbury
 
 _______________________________________________
 Suricata IDS Users mailing list:  oisf-users at openinfosecfoundation.org
 Site:  http://suricata-ids.org | Support:  http://suricata-ids.org/support/
 List:  https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
 
 Conference:  https://suricon.net
 Trainings:  https://suricata-ids.org/training/ 
  

 .....  

 This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender  immediately and permanently delete the message and any attachments. 

. . . . .

 
_______________________________________________
 Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
 Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
 List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
 
 Conference: https://suricon.net
 Trainings: https://suricata-ids.org/training/

 


_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
_______________________________________________
 Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
 Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
 List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
 
 Conference: https://suricon.net
 Trainings: https://suricata-ids.org/training/

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/52cb1856/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2058 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/52cb1856/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2176 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/52cb1856/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14323 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171129/52cb1856/attachment-0008.png>

More information about the Oisf-users mailing list