[Oisf-users] Suricata Rules Fork

[Alan Amesbury]

On Nov 30, 2017, at 10:24, Erich Lerch <erich.lerch at gmail.com> wrote:

> *The fork absolutely DOES make sense. You say that rules failing to load on
> older versions of Suri are no big issue, Suricata will still run. It will
> run, but I won't get the alerts from the rules that failed, which IS an
> issue.*
> *If I still have the opportunity to load rules covering the same issues,
> but  maybe without using the latest rule keywords, I'm happy to have them
> available, at least for a certain period.*

That's pretty much what I was trying to determine.  To me the consistency in behavior is important.  I want to be able to tell an auditor that the ruleset I'm running behaves the same on all the hosts I'm running, regardless of what version of software is in place.  I realize that running 2.x rules on a 4.x Suricata might mean I'm missing out on something, but in a mix of 3.x and 4.x Suricata versions, at least it means I'm doing it *consistently*.  It sounds like sticking with 2.x rules is the best path for me for now.

I'm aware Suricata v3.x's EOL is near, but I'm not quite to the point of upgrading everywhere.  I appreciate the reminder regarding this (thanks, Victor!), as it may help me light a fire under some people.  Yes, "people" definitely includes me....  :-\


-- 
Alan Amesbury
University Information Security
http://umn.edu/lookup/amesbury