Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] [Snort-Sigs] Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 2 Dec 2011 14:50:04 -0500
On Dec 2, 2011, at 2:35 PM, Matthew Jonkman wrote:


Ya, we went through all this for a while, and for a number of reasons (of which I recall a few I'll put below) we 
decided itd be easier to fork. I did not realize though that you maintain the old community rules in the vrt tarball. 
Is that really so?



Of course.  Our detection is continually updated and it will continue to be updated with new features when we are 
rolling them out.  We have plans for the future that may effect a vast majority of these rules.


Reasons I recall for the fork though:

1. Any changes vrt makes aren't public for 30 days. We don't want to wait there, or have to be pulling and picking 
apart the vrt tarball every release to find them.

2. We support many more versions of snort, and we have to maintain the older versions as they were, which makes all 
sorts of admin headaches when they change to new versions only in the vrt version


Which is one of the many reasons why we don't.  We build features into Snort for a reason, to make detection better and 
easier.  We believe that supporting old versions is incorrect and is like Microsoft continuing to support NT forever.  
It's just bad business.


4. I can't recall an example at the moment, but there may be cases where we want to set a flowbit for an ET rule in a 
gpl sig, which I imagine VRT wouldn't want to maintain if they didn't have the rule which checks it


It isn't any insult that we moved them, don't take it that way.


No.  I was one of the advocates for you moving them if you remember correctly.  We can't have other people using our 
SIDs.  It's bad enough we have different detection with same "pseudo" sid.

J
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: