Snort mailing list archives
Re: [Snort-sigs] [Emerging-Sigs] Snort 2.8.6.1 EOL Reminder
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Fri, 2 Dec 2011 10:08:18 -0500
On Dec 1, 2011, at 9:45 PM, Jeff Kell wrote:
On 12/1/2011 4:56 PM, Matthew Jonkman wrote:Thanks for the good words. Both rulesets are quite good, just different focus for each, and different platforms supported.Agreed, but for those of us that aggregate our layers of defense <grin> it would be very nice to have a ETPRO and ETPRO-noGPL just as you have an ET and ET-noGPL set.
That's not a bad way to go. You'll have duplicated cycles, but you'll have a net gain in coverage if your sensors can handle the load. So on the GPL duplication: We're moving the forked GPL sigs that we're maintaining up to the 2100000 sid range. That'll be complete today perhaps. We just have the imap category left to go. There were two reasons for that: 1. Let us forl those into suricata versions, and maintain old versions without conflicts and coordination issues 2. Allows you to easily disable the range if you're using them from another source. You can cat and grep them out, or do a disable range in whatever rule manager used. Does that work for those issues? NOTE: We push the useful GPL sigs from the old community ruleset (10 million range and up I think). I don't believe any of those are in the VRT tarball, so if you want those be sure to use the GPL stuff from our side and filter them out of VRT. We could put up an ET Pro ruleset without the GPL stuff in there. Wouldn't be a huge deal to implement if it's necessary.
With the current framework, you can't easily run VRT and ETPRO (duplication of filenames and signatures).
We generally recommend to ET Pro subscribers using VRT or another ruleset as well that you just drop them into separate directories and redefine the rules_path var between each. That keeps things clean and organized. The average rule manage gui shouldn't have the issue at all.
You can however easily run sourcefire (non-VRT) plus ET (non PRO).
Yup! ALthough you'll be missing the community sigs if you go no-gpl. Thanks Jeff! Matt
Jeff ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
---------------------------------------------------- Matt Jonkman Emerging Threats Pro Open Information Security Foundation (OISF) Phone 866-504-2523 x110 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ----------------------------------------------------
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.8.6.1 EOL Reminder Joel Esler (Nov 28)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder L0rd Ch0de1m0rt (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Jefferson, Shawn (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder L0rd Ch0de1m0rt (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 01)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Jeff Kell (Dec 01)
- Re: [Emerging-Sigs] [Snort-users] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 01)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Nathan (Dec 02)
- Re: [Emerging-Sigs] [Snort-users] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Jefferson, Shawn (Dec 01)
- Re: [Snort-sigs] [Emerging-Sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 02)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-Sigs] Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 02)
- Re: [Emerging-Sigs] [Snort-Sigs] Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder L0rd Ch0de1m0rt (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Mike Lococo (Dec 01)