Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?

[Matthew Jonkman <jonkman () emergingthreatspro com>]

On Mar 21, 2011, at 10:43 AM, Joel Esler wrote:
> I haven't diff'ed your version of the gpl rules to ours, I'll try and make time to do that today if I can -- and I 
> haven't diffed our gpl rules from 2005 to now (3464 and below), but I suspect they haven't changed much maybe some 
> references and what not, but I'd like to see what else.  

We started with the 2005 pre-VRT versions, so we'll have significant differences I imagine. 

> I have a couple ideas that I have discussed with Sourcefire internally, and I'm not going to talk about those until 
> they come out.  I don't want to say "here's my idea" and then have someone print it out and staple it to a wall.  
> (evilghost -- ;).
> I'd like the maintainers of the ET GPL rules to please send me any changes that you have made to the rules that we 
> could incorporate, as that has not been done yet, and it should be.

They're downloadable at http://rules.emergingthreats.net/

We have many versions, and suricata as well. Pick which you'd like to diff from. Thanks Joel!


> I'd like the maintainers of the ET GPL rules, if you insist on keeping the GPL rules, please fork them, re-sid them, 
> and add a reference back to the original SID.  Please do not duplicate the SIDS that are already assigned.  That's 
> the major point of this whole thread.  To avoid this whole thread from occurring again.
We're not duplicating though, we're just modifying. But what seems to be the core issue is that we will have versions 
and platforms that are not supported by SF, so why would we send the changes to those (suricata, or snort 2.8.6 for 
example) to SF for inclusion there? We need to maintain our own versions, and I don't expect we'll have a lot of 
overlap. 

I'm still anti re-sid'ing. We lose a lot of history there and reference. But if the sentiment of the community goes 
there we can make that happen. But I think we have other issues to solve then, like deduplication for folks that still 
combine the et open rules with vrt. It'd be a week or more of work to re-sid and update, so we'd probably not have a 
contiguous range of sids.


> If we are going to coexist, (ET and VRT) then this is the way it must be.  We are a community.  We are acting like 
> one, we will have our fights and our disagreements, that's fine.  But let's make them constructive.

We definitely want to coexist. I think we've made great concessions there in making our rules fit with VRT for folks 
that want to use them. 

> On a personal note, I've tried to reach out heavily to you Matt both on list and privately to try and unify the 
> communities, you go your way with PRO sigs and we go our way with PRO sigs.  But meet in the middle somewhere.  I've 
> received zero push back from Sourcefire on this, and I've received nothing but "I don't believe you", "It hasn't 
> worked before", etc from your side.  

I realize I may be pessimistic, but it's been nearly 10 years of that now. I don't feel like we've gotten many of the 
things you and I and the community have wanted to do approved or off the ground. So I'm quite pessimistic I'm sure. But 
not against things moving along if they might....

> I do feel a bit insulted that you'd insult me or Jason's integrity or "community spirit" (as that's my job), and even 
> more insulted that anyone would insult the VRT.  They are a very hardworking group of individuals, and no one 
> understands what goes on in that group if you aren't inside.  On purpose.  Are we going to open that kimono a bit?  I 
> hope so.

No insult intended, and apologies if it was taken that way. My comments earlier were based on what we see. And since we 
can see very little there is a lot of assumption in there. More openness would go a long way. 


> I'm not asking for an apology, this is my job.  To have these discussions and come up with a solution that is best 
> for the community.  I have a couple ideas that may or may not work, and that's fine either way.  If they don't work, 
> then we'll keep going the way we have been going.  If they do work, then we'll have a closer community.  But please 
> don't say that I have no community spirit or aren't working to unify it.

I don't think I said that, and wouldn't. You've been the best hope we;ve had for a very long time to make collaboration 
work!!


> Would I like to have a healthy working relationship between ET, the VRT, and the community?  Yes.  
> I do not presume to speak for VRT, but I am sure a healthy community is also in their interests as well.  Do I think 
> we have a dysfunctional marriage right now?  Yes.  
> Do I think we can fix it?  Yes.


I hope we can as well. 

Matt

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users