[Oisf-users] Suricata Rules Fork
Michael Stone
mstone at mathom.us
Thu Nov 30 18:57:44 UTC 2017
On Thu, Nov 30, 2017 at 01:49:56PM -0500, amar at countersnipe.com wrote:
>
> On November 30, 2017 at 11:24 AM Erich Lerch <erich.lerch at gmail.com> wrote:
>
> The fork absolutely DOES make sense. You say that rules failing to load on
> older versions of Suri are no big issue, Suricata will still run. It will
> run, but I won't get the alerts from the rules that failed, which IS an
> issue.
>
>If those certain rules are written to use the features provided for by V4, why
>does it matter if they are not active on <V4? If you want them in you will
>upgrade to V4.
The same rule can be written using v4 functionality or not. If you get
the v4 ruleset you get the newer syntax and if you get the older ruleset
you get the older syntax. (For example, you can search for a string
"User-Agent: foo" instead of using the user agent keyword to match
"foo".) It will work either way, but there are potentially optimizations
which can be made when using the newer, more descriptive, syntax. If you
want to stick with the older syntax, go for it--I'm personally happy to
see the rules using more of the functionality in suricata, making it
more productive to add new optimizations in the future.
Mike Stone
More information about the Oisf-users
mailing list