[Oisf-users] Suricata Rules Fork

Erich Lerch erich.lerch at gmail.com
Thu Nov 30 16:24:45 UTC 2017


*The fork absolutely DOES make sense. You say that rules failing to load on
older versions of Suri are no big issue, Suricata will still run. It will
run, but I won't get the alerts from the rules that failed, which IS an
issue.*
*If I still have the opportunity to load rules covering the same issues,
but  maybe without using the latest rule keywords, I'm happy to have them
available, at least for a certain period.*

*Cheers,*
*Erich*


2017-11-30 15:14 GMT+01:00 Amar Rathore - CounterSnipe Systems <
amar at countersnipe.com>:

> Hi Folks
>
> In the light of on going rule fork email exchanges, I wanted to bring the
> following brief conversation, between Francis and me, back into wider
> circulation.
>
> I think generally speaking, we can do with more preciseness in
> directional/strategy type responses, more coordinated messaging and most
> definitely longer notices of changes. That said, I know it is all open
> source, and people are busy and its not always possible to fit everything
> in. So thank you to all of the team that makes this great IDE possible.
>
> So to the rules thing, I still don't understand the reason for forking
> them. They didn't need to be forked off from 1 to 2 to 3 to 3.2 so why now?
> All the conversations so far are displaying confusion for anyone
> considering using Suricata....you know all the new people that don't
> necessarily join in in the conversations.
>
> Going by Francis's response below, there will actually be no big issue
> even if you were to use 4.0 rule set with previous versions of Suri.
>
> My concern was that in a mixed environment of Suri Versions, and a central
> rule management system, you could run into problems. But the good news is
> that won't be the case.
>
> Commercial Software like CounterSnipe, can easily check the running
> version and load a rule set accordingly. I am not sure if that could be
> implemented within Suricata's future releases.  The other point will be if
> Suricata already handles "not run but error" part elegantly enough, then
> there is no real issue and such option might not even be necessary! You
> could simply disable all of the rules specific to V4, until you upgrade.
>
> Best
>
> Amar
>
> On November 27, 2017 at 5:04 PM Francis Trudeau wrote:
>
>
> In a sense, yes. We are starting to use keywords and features of
> Suricata 4.0 in the 4.0 branch. If the new style rules are loaded in
> Suricata < 4, they will probably error.
>
> It won't cause a sensor to go down, but it won't be able to run the
> rules with the new stuff. It will basically false negative on the
> traffic those rules were meant for.
>
> Let me know if that makes sense.
>
> -FT
>
>
>
>
>
>
>
> On Mon, Nov 27, 2017 at 6:28 AM, Amar Rathore - CounterSnipe Systems
> wrote:
>
> Hello Francis
>
> Does your message imply non compatibility between <4.0 and 4.0?
>
> In that case what will happen to mixed setups?
>
> regards
>
> Amar
>
> On November 21, 2017 at 1:24 PM Francis Trudeau
> wrote:
>
> Please use your version in your rule download. We use this to track who is
> running what.
>
> For example, if you are using Suricata 4.0 use:
>
> https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz.
>
> Including the version will get you the correct ruleset for your version if
> we make changes. We use rewrite rules to steer requests correctly. We are
> forking the set today, and this will ensure you get the correct rules.
>
> Thanks,
>
> Francis
>
>
>
>
>
>
>
> On Mon, Nov 20, 2017 at 2:12 PM, dev wrote:
>
>
>
> On 11/20/2017 01:52 PM, Victor Julien wrote:
>
> Perhaps you can try the https url instead? Same url but https.
>
> Yes, HTTPS works well. I will use that.
> Thank you
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
> Kind regards
>
> Amar Rathore
>
> CounterSnipe Systems LLC
> Tel: +1 617 701 7213
> Mobile: +44 (0) 7876 233333
> Skype ID: amarrathore
> Web: www.countersnipe.com
>
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete
> this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free as
> information could be intercepted, corrupted, lost, destroyed, arrive late
> or
> incomplete, or contain viruses. The sender therefore does not accept
> liability for any errors or omissions.
>
>
> Kind regards
>
> Amar Rathore
>
> CounterSnipe Systems LLC
> Tel: +1 617 701 7213
> Mobile: +44 (0) 7876 233333
> Skype ID: amarrathore
> Web: www.countersnipe.com <http://www.countersnipe.com/>
>
> This message contains confidential information and is intended only for
> the individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free as
> information could be intercepted, corrupted, lost, destroyed, arrive late
> or incomplete, or contain viruses. The sender therefore does not accept
> liability for any errors or omissions.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171130/43ef28f7/attachment-0002.html>


More information about the Oisf-users mailing list