[Oisf-users] Suricata Rules Fork
Amar Rathore - CounterSnipe Systems
amar at countersnipe.com
Thu Nov 30 14:14:38 UTC 2017
Hi Folks
In the light of on going rule fork email exchanges, I wanted to bring the following brief conversation, between Francis and me, back into wider circulation.
I think generally speaking, we can do with more preciseness in directional/strategy type responses, more coordinated messaging and most definitely longer notices of changes. That said, I know it is all open source, and people are busy and its not always possible to fit everything in. So thank you to all of the team that makes this great IDE possible.
So to the rules thing, I still don't understand the reason for forking them. They didn't need to be forked off from 1 to 2 to 3 to 3.2 so why now? All the conversations so far are displaying confusion for anyone considering using Suricata....you know all the new people that don't necessarily join in in the conversations.
Going by Francis's response below, there will actually be no big issue even if you were to use 4.0 rule set with previous versions of Suri.
My concern was that in a mixed environment of Suri Versions, and a central rule management system, you could run into problems. But the good news is that won't be the case.
Commercial Software like CounterSnipe, can easily check the running version and load a rule set accordingly. I am not sure if that could be implemented within Suricata's future releases. The other point will be if Suricata already handles "not run but error" part elegantly enough, then there is no real issue and such option might not even be necessary! You could simply disable all of the rules specific to V4, until you upgrade.
Best
Amar
> On November 27, 2017 at 5:04 PM Francis Trudeau wrote:
>
>
> In a sense, yes. We are starting to use keywords and features of
> Suricata 4.0 in the 4.0 branch. If the new style rules are loaded in
> Suricata < 4, they will probably error.
>
> It won't cause a sensor to go down, but it won't be able to run the
> rules with the new stuff. It will basically false negative on the
> traffic those rules were meant for.
>
> Let me know if that makes sense.
>
> -FT
>
>
>
>
>
>
>
> On Mon, Nov 27, 2017 at 6:28 AM, Amar Rathore - CounterSnipe Systems
> wrote:
>
> > > Hello Francis
> >
> > Does your message imply non compatibility between <4.0 and 4.0?
> >
> > In that case what will happen to mixed setups?
> >
> > regards
> >
> > Amar
> >
> > On November 21, 2017 at 1:24 PM Francis Trudeau
> > wrote:
> >
> > Please use your version in your rule download. We use this to track who is
> > running what.
> >
> > For example, if you are using Suricata 4.0 use:
> >
> > https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz.
> >
> > Including the version will get you the correct ruleset for your version if
> > we make changes. We use rewrite rules to steer requests correctly. We are
> > forking the set today, and this will ensure you get the correct rules.
> >
> > Thanks,
> >
> > Francis
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Nov 20, 2017 at 2:12 PM, dev wrote:
> >
> >
> >
> > On 11/20/2017 01:52 PM, Victor Julien wrote:
> >
> > > > > Perhaps you can try the https url instead? Same url but https.
> > >
> > > > > Yes, HTTPS works well. I will use that.
> > Thank you
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org mailto:oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org mailto:oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> >
> >
> > Kind regards
> >
> > Amar Rathore
> >
> > CounterSnipe Systems LLC
> > Tel: +1 617 701 7213
> > Mobile: +44 (0) 7876 233333
> > Skype ID: amarrathore
> > Web: www.countersnipe.com
> >
> > This message contains confidential information and is intended only for the
> > individual named. If you are not the named addressee you should not
> > disseminate, distribute or copy this e-mail. Please notify the sender
> > immediately by e-mail if you have received this e-mail by mistake and delete
> > this e-mail from your system.
> >
> > E-mail transmission cannot be guaranteed to be secure or error-free as
> > information could be intercepted, corrupted, lost, destroyed, arrive late or
> > incomplete, or contain viruses. The sender therefore does not accept
> > liability for any errors or omissions.
> >
> > >
Kind regards
Amar Rathore
CounterSnipe Systems LLC
Tel: +1 617 701 7213
Mobile: +44 (0) 7876 233333
Skype ID: amarrathore
Web: www.countersnipe.com <http://www.countersnipe.com/>
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171130/1a83c1b8/attachment-0002.html>
More information about the Oisf-users
mailing list