On Tue, Jan 08, 2013 at 11:05:27PM -0500, Lawrence Teo wrote: > On Sat, Dec 15, 2012 at 07:20:53PM +0100, Markus Lude wrote: > > Hello, > > > > attached are updates of daq to version 2.0.0 and snort to version > > 2.9.4.0. Build on i386 and sparc64 works. Been running it on sparc64 for > > two days with low traffic. > > > > Please test, comment. > > Hi Markus, > > Thank you for the update! > > I have tested both diffs and here are my comments. The Snort rule > categories are going through a reorganization (please see > http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html) > where a lot of rules have moved to new files. > > During this transition, some old rule files are now empty; for example, > web-iis.rules now has no rules because most of them have been moved to > the new server-iis.rules file. > > I have added a patch to your snort-2.9.4.0 diff so that snort.conf will > include the new rule filenames. While there, I have also sync'ed a few > parts of snort.conf with the snort.conf in the Dec 6, 2012 Snort ruleset > (the latest ruleset I have access to) to make them consistent. Apart > from that, everything remains the same. I have made no changes to your > daq-2.0.0.diff. The (not your) changes in snort.conf are a mess. Sometimes stuff is forgotten for a release, old stuff seems to creep in again, ...
I'm ok with adding the new rule files names. I received a mail noting that neither the snort package nor the VRT rule set does come with an (even empty) local.rules. So I think we should comment out the line include $RULE_PATH/local.rules in snort.conf. > I have tested the attached snort-2.9.4.0a.diff and daq-2.0.0.diff on > amd64 and i386 using my simple test procedure described at > http://lteo.net/blog/2012/10/26/an-easy-way-to-test-your-snort-rules/ > and it works as expected. Thanks! Regards, Markus
