[Emerging-Sigs] Rule question

Joel Esler joel.esler at me.com
Wed Oct 20 10:23:23 EDT 2010


On Oct 20, 2010, at 9:19 AM, evilghost at packetmail.net wrote:

>> We need to at least all get to 2.8.6.1. 2.8.4 is over a year old, I think it came out in May of 09. It's important to stay current, or at least current-ish. Aside from the new functionality and speed improvements, we make improvements to make detection more accurate, and detect things you may be missing with an older version.
> 
> You're insane... :)
> 

Be that as it may.


>> By supporting older versions, I think, personally, all you are doing is keeping people content with the older versions of software. Supporting their bad habits is not good. That's not Sourcefire's opinion, that's just mine, but you wouldn't keep an old unpatched version of adobe reader around, because it's "too difficult" to upgrade would you?  
> 
> I'd keep people on older versions of Adobe unless they needed the new
> features added or weren't vulnerable to a security vulnerability.  Adobe
> is a poor comparison here.

Hope you don't work for my bank.  But okay, let's draw a better analogy, you wouldn't not update your antivirus because it's too painful right?  I'm not arguing, I'm throwing out food for thought, it's clear that I've lost this argument in the past, those are those people that we find that are still running Snort 2.1, and wondering why the Snort 2.9 rules won't work on it.  Our stance is that you should keep the IDS software up to date, we update it for more reasons than just innovations and improvements.  We update it to make sure we also detect everything as well.

> Does't the SF appliance run an outdated "custom rolled" version of RHEL?

The Sourcefire system runs Sourcefire OS, I don't know what it was originally based on, but if it was RHEL, it doesn't operate or resemble it in any-way-shape-or-form anymore.  We do keep it updated with our version upgrades.




--
Joel Esler
http://www.joelesler.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101020/e3d69a33/attachment.html


More information about the Emerging-sigs mailing list