Re: [Snort-sigs] [Emerging-Sigs] Snort 2.8.6.1 EOL Reminder

[Matthew Jonkman <jonkman () emergingthreatspro com>]

On Dec 1, 2011, at 9:45 PM, Jeff Kell wrote:

> On 12/1/2011 4:56 PM, Matthew Jonkman wrote:
> > Thanks for the good words. Both rulesets are quite good, just different focus for each, and different platforms 
> > supported. 
>
> Agreed, but for those of us that aggregate our layers of defense <grin>
> it would be very nice to have a ETPRO and ETPRO-noGPL just as you have
> an ET and ET-noGPL set.

That's not a bad way to go. You'll have duplicated cycles, but you'll have a net gain in coverage if your sensors can 
handle the load. 

So on the GPL duplication: We're moving the forked GPL sigs that we're maintaining up to the 2100000 sid range. That'll 
be complete today perhaps. We just have the imap category left to go. There were two reasons for that:

1. Let us forl those into suricata versions, and maintain old versions without conflicts and coordination issues

2. Allows you to easily disable the range if you're using them from another source. You can cat and grep them out, or 
do a disable range in whatever rule manager used. 


Does that work for those issues? NOTE: We push the useful GPL sigs from the old community ruleset (10 million range and 
up I think). I don't believe any of those are in the VRT tarball, so if you want those be sure to use the GPL stuff 
from our side and filter them out of VRT.

We could put up an ET Pro ruleset without the GPL stuff in there. Wouldn't be a huge deal to implement if it's 
necessary.



> With the current framework, you can't easily run VRT and ETPRO
> (duplication of filenames and signatures).

We generally recommend to ET Pro subscribers using VRT or another ruleset as well that you just drop them into separate 
directories and redefine the rules_path var between each. That keeps things clean and organized. The average rule 
manage gui shouldn't have the issue at all.


> You can however easily run sourcefire (non-VRT) plus ET (non PRO).

Yup! ALthough you'll be missing the community sigs if you go no-gpl.


Thanks Jeff!

Matt

> Jeff
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure 
> contains a definitive record of customers, application performance, 
> security threats, fraudulent activity, and more. Splunk takes this 
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!