Snort mailing list archives
Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?
From: Jason Brvenik <jason () sourcefire com>
Date: Sat, 19 Mar 2011 11:54:31 -0400
On Sat, Mar 19, 2011 at 9:45 AM, Matthew Jonkman <jonkman () emergingthreatspro com> wrote:
On Mar 18, 2011, at 7:45 PM, Jason Brvenik wrote:On Fri, Mar 18, 2011 at 5:32 PM, Matthew Jonkman <jonkman () emergingthreatspro com> wrote:You make a good point, but I fear that'd be more confusing. If the sids aren't the same then folks will assume they're different rules, and run them all. The average new snort/suricata user gets rule crazy (I remember doing it :) ) and just downloading and enabling everything they can find. I think we'd end up wasting a lot of cpu cycles.... But I'm flexible. We're a community. Lets decide together. I've voted for keeping them the same, because we don't have a need to run them at the same time, and they're GPL so it's free use.Define "them" please Is your assertion that users don't need to run VRT and ET Rules sets?Them here = the GPL rules sid 3164 and under. I'm making the point that no one would need to run both the ET version of the gpl rules and the VRT version of them, so sid duplication is a moot point. In fact, we'll cause issues IF we put them in different sid ranges because folks will assume they need to run both then...
Instead we have a situation where old rules are deprecated, superseded, colliding, etc. I think that in general folks assume they need both already, enlightenment comes later. Causing new users pain for what amounts to an ideological position. I don't believe duplicating them in any form is appropriate unless there is a divergence in what they do and detect thus creating a new rule. Ultimately I posit that duplication of inspection content and not SID isn't going to change things greatly compared to the use of 10K+ rules already deployed from both sets and the clear pain it presents to new and longs standing users.
MattThoughts? Matt On Mar 18, 2011, at 5:20 PM, Weir, Jason wrote: Seems to me it might be time for ET to re-name and re-sid those rules. Then VRT and ET can go in whatever direction they deem appropriate. Without confusing the user base. Yes it means more rule overlap but that's something us end users are dealing with already.. -J ----- Original Message ----- From: Matthew Jonkman <jonkman () emergingthreatspro com> To: Joel Esler <jesler () sourcefire com> Cc: Weir, Jason; Emerging Threats Threats Signatures <emerging-sigs () emergingthreats net>; waldo kitty <wkitty42 () windstream net>; snort-users () lists sourceforge net <snort-users () lists sourceforge net> Sent: Fri Mar 18 16:40:41 2011 Subject: Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? The issue is though that VRT won't support versions back to snort 2.4, nor a version for suricata, which we do at ET. So we have the gpl rules here as well in the ET ruleset. If that could be worked out we could integrate, but I think SF has made it clear their stance on suricata, and on snorts more than 2 versions back. Matt On Mar 18, 2011, at 3:20 PM, Joel Esler wrote:That was a porn rule. Which we've gotten rid of. Rules that are <1,000,000 in SID are officially maintained by the VRT (even the sids that were available before the VRT license change -- commonly referred to as "gpl rules"). Emerging threats is encouraged to submit any changes to the ruleset to sids <1,000,000 back to the VRT for inclusion into the VRT set. However, the numbers should not be duplicated. J On Mar 18, 2011, at 3:04 PM, Weir, Jason wrote:That is the raw packet data - as outputted by BASE anyways.. That rule is in the ET set here http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules -J-----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Friday, March 18, 2011 2:53 PM To: Weir, Jason Cc: emerging-sigs () emergingthreats net Subject: Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? On 3/18/2011 13:56, Weir, Jason wrote:After I spammed the snort sigs list on this - looks like itcame withthe ET rules.. It's probably not maintained by anyone but I'm seeing whatcould be a FPon 1313sid:1313; does not exist in my setup with both VRT and ET rules sets... not even as a commented line...Here's the data - no "up skirt" that I can see....is that the raw packet data?_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net Twitter: @snort _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current! ---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody?, (continued)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Matthew Jonkman (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintainsthem?Nobody? evilghost () packetmail net (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintainsthem?Nobody? Weir, Jason (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintainsthem?Nobody? Jacob Kitchel (Mar 21)
- Re: [Emerging-Sigs] GPL rules - whomaintainsthem?Nobody? evilghost () packetmail net (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintainsthem?Nobody? Martin Holste (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintainsthem?Nobody? Nigel Houghton (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Victor Julien (Mar 21)
- Message not available
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Message not available
- Message not available
- Message not available
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Roesch (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? waldo kitty (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Weir, Jason (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Martin Holste (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Joel Esler (Mar 21)