Snort mailing list archives
help
From: "Jan Andreasson" <Jan () bearcom se>
Date: Tue, 8 Mar 2005 19:36:43 +0100
-----Ursprungligt meddelande----- Från: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] För snort-users-request () lists sourceforge net Skickat: den 8 mars 2005 19:33 Till: snort-users () lists sourceforge net Ämne: Snort-users digest, Vol 1 #4990 - 13 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Licensing (Matt Kettler) 2. Re: Snort Center 2.x (Alex Kirk) 3. Re: tcp flood (Matt Kettler) 4. Now that I have my oink code (Paul Schmehl) 5. RE: Now that I have my oink code (Joshua Berry) 6. Snort rule lookup from ACID broken?? (Marc Hering) 7. Re: Snort rule lookup from ACID broken?? (=?ISO-8859-1?Q?Geffrey_Vel=E1squez?=) 8. Re: Now that I have my oink code (Paul Schmehl) 9. RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? - Email found in subject (Marc Hering) 10. RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken ?? - Email found in subject (SRH-Lists) 11. My Experience with the new Sourcefire VRT rules.. (Marc Hering) 12. RE: My Experience with the new Sourcefire VRT rules.. (Scott Morris) --__--__-- Message: 1 Date: Tue, 08 Mar 2005 11:13:13 -0500 To: "Peter J Manis" <pmanis () comcast net>, "Rowland, Krisa W ERDC-ITL-MS Contractor" <Krisa.W.Rowland () erdc usace army mil>, <snort-users () lists sourceforge net> From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Licensing At 09:11 PM 3/7/2005, Peter J Manis wrote:
I think you misinterpreted Marty's email. Sourcefire doesnt allow you to bundle VRT rules in a commercial product no matter if you have a subscription or not, at least thats what the license says.
I didn't say a subscription would allow commercial redistribution. I said you had to pay in order to do commercial redistribution. i.e.: you need to obtain a commercial license from SF. Basically there are two situations that involve you having to pay money of some amount to Sourcefire for the VRT rules. 1) if you want them fast you need a subscription 2) if you want to bundle them you need a commercial distribution license. Obviously 1) much cheaper, and 2) is subject to negotiations. --__--__-- Message: 2 Date: Tue, 08 Mar 2005 11:32:08 -0500 From: Alex Kirk <alex.kirk () sourcefire com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Center 2.x Jason, I went out and got the latest copy of Snortcenter from Sourceforge (snortcenter-release.tar.gz from 2004-12-29, to be precise) when I saw this, so I could help you get it fixed. You'll at least need to update $snortrules_url in config.php to add an Oinkcode and reflect the new location, as discussed on this list by those using Oinkmaster. Just for clarification, once you register -- which is free and easy -- you can generate an Oinkcode for each IP that you need to download rules from with a very simple form in the User Preferences section of the new site. In cases where forced downloading is not enabled (i.e. there is no "force" parameter in the URI for db_pars.php, and thus if(!$force) succeeds on line 32 of that file), you'll also need to have an updated MD5 download path. At the moment, we don't have a snortrules-snapshot-2.3.tar.gz.md5 file, but that should be fixed shortly. Alex Kirk Research Analyst Sourcefire, Inc.
Hello, For all of you that are using Snortcenter still the new snort website has totally broken all rule import functionality. I'm looking at the different rule sets and what the requirements are for getting them and what information needs to be passed to the website. But at this time I'm not sure what needs to be done to get it working again. Jason Alexander ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 3 Date: Tue, 08 Mar 2005 11:34:16 -0500 To: SN ORT <snort_on_acid () yahoo com>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] tcp flood At 09:51 AM 3/8/2005, SN ORT wrote:
Yeah, any IoS Cisco that is, including the new IoS for PiX. Thanks.
Of course, the new OS for the PiX isn't released yet, so it doesn't do the OP any good. They have a public deta sheet so we can plan for it, but that's all that's in public release. (PiX OS 7.0 is in beta, but that's not available to normal users with support contracts, you need a separate level of access and an NDA for the beta) also,minor point: technically it's PiX OS, not IOS. I only point it out because it's one common way to distinguish the product lines.. "It's an IOS based firewall" explicitly means it's not a PiX, but a router with the FWFS added on. --__--__-- Message: 4 Date: Tue, 08 Mar 2005 11:39:41 -0600 From: Paul Schmehl <pauls () utdallas edu> Reply-To: Paul Schmehl <pauls () utdallas edu> To: snort-users () lists sourceforge net Subject: [Snort-users] Now that I have my oink code When will it work? Right now it doesn't. How much time lag is there before the oink code allows me to d/l the ruleset? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu --__--__-- Message: 5 Subject: RE: [Snort-users] Now that I have my oink code Date: Tue, 8 Mar 2005 11:42:02 -0600 From: "Joshua Berry" <jberry () PENSON COM> To: "Paul Schmehl" <pauls () utdallas edu>, <snort-users () lists sourceforge net> I was able to download immediately. I just had to figure out what IP my internal system was NATting to outbound. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paul Schmehl Sent: Tuesday, March 08, 2005 11:40 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Now that I have my oink code When will it work? Right now it doesn't. How much time lag is there=20 before the oink code allows me to d/l the ruleset? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users --__--__-- Message: 6 Date: Tue, 8 Mar 2005 12:45:46 -0500 From: "Marc Hering" <mhering () reval com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Snort rule lookup from ACID broken?? This is a multi-part message in MIME format. ------_=_NextPart_001_01C52406.A8584727 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Hey Guys, Is it just me, or since they changed the website, If I get an alert in ACID, and I click on "Snort" which usually takes me to a description of the rule that was violated..Now I get "Oink page not found" Is this just me or is this universal???? =20 =20 <M> ------_=_NextPart_001_01C52406.A8584727 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D641204417-08032005><FONT face=3DArial size=3D2>Hey=20 Guys,</FONT></SPAN></DIV> <DIV><SPAN class=3D641204417-08032005><FONT face=3DArial size=3D2>Is it = just me, or=20 since they changed the website, If I get an alert in ACID, and I click = on=20 "Snort" which usually takes me to a description of the rule that was=20 violated..Now I get "Oink page not found" Is this just me or is = this=20 universal????</FONT></SPAN></DIV> <DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2><M></FONT></SPAN></DIV></BODY></HTML> ------_=_NextPart_001_01C52406.A8584727-- --__--__-- Message: 7 Date: Tue, 08 Mar 2005 12:49:23 -0500 From: =?ISO-8859-1?Q?Geffrey_Vel=E1squez?= <gvelasquez () minag gob pe> To: Marc Hering <mhering () reval com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rule lookup from ACID broken?? Yes! there is no more access using the url: http://www.snort.org/snort-db/sid.html?sid=NUMBER Marc Hering escribió:
Hey Guys, Is it just me, or since they changed the website, If I get an alert in ACID, and I click on "Snort" which usually takes me to a description of the rule that was violated..Now I get "Oink page not found" Is this just me or is this universal???? <M>
--__--__-- Message: 8 Date: Tue, 08 Mar 2005 11:55:07 -0600 From: Paul Schmehl <pauls () utdallas edu> Reply-To: Paul Schmehl <pauls () utdallas edu> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Now that I have my oink code --On Tuesday, March 08, 2005 11:39:41 AM -0600 Paul Schmehl <pauls () utdallas edu> wrote:
When will it work? Right now it doesn't. How much time lag is there before the oink code allows me to d/l the ruleset?
Never mind...... Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu --__--__-- Message: 9 Subject: RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? - Email found in subject Date: Tue, 8 Mar 2005 12:54:34 -0500 From: "Marc Hering" <mhering () reval com> To: =?iso-8859-1?Q?Geffrey_Vel=E1squez?= <gvelasquez () minag gob pe> Cc: <snort-users () lists sourceforge net> Well that sucks............Does anyone know if there is another = Interface like that one anymore???? It saves me a lot of work!!! Thanks!=20 -----Original Message----- From: Geffrey Vel=E1squez [mailto:gvelasquez () minag gob pe]=20 Sent: Tuesday, March 08, 2005 12:49 PM To: Marc Hering Cc: snort-users () lists sourceforge net Subject: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? = - Email found in subject Yes! there is no more access using the url: http://www.snort.org/snort-db/sid.html?sid=3DNUMBER Marc Hering escribi=F3:
Hey Guys, Is it just me, or since they changed the website, If I get an alert in =
ACID, and I click on "Snort" which usually takes me to a description=20 of the rule that was violated..Now I get "Oink page not found" Is=20 this just me or is this universal???? =20 =20 <M>
--__--__-- Message: 10 From: SRH-Lists <giermo () 333tech com> To: 'Marc Hering' <mhering () reval com>, =?iso-8859-1?Q?Geffrey_Vel=E1squ?= =?iso-8859-1?Q?ez?= <gvelasquez () minag gob pe> Cc: snort-users () lists sourceforge net Subject: RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken ?? - Email found in subject Date: Tue, 8 Mar 2005 11:59:33 -0600
Yes! there is no more access using the url: =20 http://www.snort.org/snort-db/sid.html?sid=3DNUMBER =20 =20 =20 Marc Hering escribi=F3: =20Hey Guys, Is it just me, or since they changed the website, If I get=20an alert in=20ACID, and I click on "Snort" which usually takes me to a=20description=20of the rule that was violated..Now I get "Oink page not found" Is=20 this just me or is this universal???? =20 =20 <M>
It is in the works: http://www.snort.org/rules/search.html <quote> We are currently developing an enhanced rule search engine, which will be available shortly. We apologize for any inconvenience this may = cause. </quote> -steve --__--__-- Message: 11 Date: Tue, 8 Mar 2005 13:19:31 -0500 From: "Marc Hering" <mhering () reval com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] My Experience with the new Sourcefire VRT rules.. This is a multi-part message in MIME format. ------_=_NextPart_001_01C5240B.5F3CA0AD Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable =20 Well,=20 I know there has been a lot of debate over the new VRT Rules and licensing methods from Sourcefire. I was staying on the sidelines due to my relative newness to Snort in general, but now that I have had some interaction with the new website I wanted to let everyone know my experiences.. This is just what happened to me, and I am not trying to start any flame wars...so if you agree with me then great, if you don't agree with me then great! =20 Let me start out by saying that I personally don't have a problem with what SF is doing, After all, if I didn't want to pay I can still get the rules 5 days later for free or write my own. but since I need the rules pretty fast (and I am not the best at writing rules..) I was ok with paying the subscription fee. So I mosey on over to snort.org and try to sign up. =20 =20 Well, all I can say is that if you are like me and don't mind paying the subscription, then GOOD LUCK!! Finding the pricing is damn near impossible, and when you follow the link to even sign up, it tries to take you to a secure site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it doesn't protect snort.ort it is for sourcefire.com) then when I get to the signup page, firefox reports that this site is not secure at all (even though it says https, there is no encryption going on) Yean I'm gonna transmit info plaintext..NOT! And still no mention of how much it costs until after you create an account..... Oh and for all you ACID users out there, I just found out that you can't do a rule lookup anymore even if you are a subscriber ( In their defense, they DO say the rule lookup function is forthcoming and I am sure some clever person will write a patch eventually) =20 I completely understand why Sourcefire is changing the way the rules are distributed, and I support them in it after all, they do deserve to get paid for hard work, however if they are going to make a change like this that affects the whole snort community, then I would request that they at least make sure that everything works before they put it live! Thanks! =20 </rant mode> ------_=_NextPart_001_01C5240B.5F3CA0AD Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,=20 </FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I know = there has=20 been a lot of debate over the new VRT Rules and licensing methods from=20 Sourcefire. I was staying on the sidelines due to my relative = newness to=20 Snort in general, but now that I have had some interaction with the new = website=20 I wanted to let everyone know my experiences.. This is just what = happened=20 to me, and I am not trying to start any flame wars...so if you agree = with me=20 then great, if you don't agree with me then great!</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Let me = start out by=20 saying that I personally don't have a problem with what SF is = doing, After=20 all, if I didn't want to pay I can still get the rules 5 days later for = free or=20 write my own. but since I need the rules pretty fast = (and I am=20 not the best at writing rules..) I was ok with paying the=20 subscription fee. So I mosey on over to snort.org and = try to=20 sign up. </FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well, = all I can say=20 is that if you are like me and don't mind paying the subscription,=20 then GOOD LUCK!! Finding the pricing is damn near impossible, = and=20 when you follow the link to even sign up, it tries to take you to a = secure=20 site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it doesn't = protect=20 snort.ort it is for sourcefire.com) then when I get to = the=20 signup page, firefox reports that this site is not secure at all (even = though it=20 says https, there is no encryption going on) Yean I'm gonna transmit = info=20 plaintext..NOT! And still no mention of how much it costs = until=20 after you create an account..... Oh and for all you ACID users out = there,=20 I just found out that you can't do a rule lookup anymore even if you are = a=20 subscriber ( In their defense, they DO say the rule lookup function = is=20 forthcoming and I am sure some clever person will write a patch=20 eventually)</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005></SPAN><SPAN = class=3D038145717-08032005><FONT=20 face=3DArial size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I = completely=20 understand why Sourcefire is changing the way the rules are distributed, = and I=20 support them in it after all, they do deserve to get paid for hard work, = however=20 if they are going to make a change like this that affects the whole = snort=20 community, then I would request that they at least make sure that = everything=20 works before they put it live!</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2>Thanks!</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial = size=3D2></rant=20 mode></FONT></SPAN></DIV></BODY></HTML> ------_=_NextPart_001_01C5240B.5F3CA0AD-- --__--__-- Message: 12 Subject: RE: [Snort-users] My Experience with the new Sourcefire VRT rules.. Date: Tue, 8 Mar 2005 13:32:25 -0500 From: "Scott Morris" <Scott.Morris () syniverse com> To: <snort-users () lists sourceforge net> This is a multi-part message in MIME format. ------_=_NextPart_001_01C5240D.2CB8F750 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable =20 It is a new site so I'll give them slack there. However our corporate counsel had apoplexy when he saw the license terms. Particularly the granting access to books, records and facilities.=20 =20 You will, from time to time and as requested by Sourcefire, provide assurances to Sourcefire that you are using the VRT Certified Rules consistent with a Permitted Use, and you grant Sourcefire access, at reasonable times and in a reasonable manner, to the VRT Certified Rules in your possession or control, and to your books, records and facilities to permit Sourcefire to verify appropriate use of the VRT Certified Rules and compliance with this Agreement. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Marc Hering Sent: Tuesday, March 08, 2005 1:20 PM To: snort-users () lists sourceforge net Subject: [Snort-users] My Experience with the new Sourcefire VRT rules.. =09 =09 =20 Well,=20 I know there has been a lot of debate over the new VRT Rules and licensing methods from Sourcefire. I was staying on the sidelines due to my relative newness to Snort in general, but now that I have had some interaction with the new website I wanted to let everyone know my experiences.. This is just what happened to me, and I am not trying to start any flame wars...so if you agree with me then great, if you don't agree with me then great! =20 Let me start out by saying that I personally don't have a problem with what SF is doing, After all, if I didn't want to pay I can still get the rules 5 days later for free or write my own. but since I need the rules pretty fast (and I am not the best at writing rules..) I was ok with paying the subscription fee. So I mosey on over to snort.org and try to sign up. =20 =20 Well, all I can say is that if you are like me and don't mind paying the subscription, then GOOD LUCK!! Finding the pricing is damn near impossible, and when you follow the link to even sign up, it tries to take you to a secure site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it doesn't protect snort.ort it is for sourcefire.com) then when I get to the signup page, firefox reports that this site is not secure at all (even though it says https, there is no encryption going on) Yean I'm gonna transmit info plaintext..NOT! And still no mention of how much it costs until after you create an account..... Oh and for all you ACID users out there, I just found out that you can't do a rule lookup anymore even if you are a subscriber ( In their defense, they DO say the rule lookup function is forthcoming and I am sure some clever person will write a patch eventually) =20 I completely understand why Sourcefire is changing the way the rules are distributed, and I support them in it after all, they do deserve to get paid for hard work, however if they are going to make a change like this that affects the whole snort community, then I would request that they at least make sure that everything works before they put it live! Thanks! =20 </rant mode> ------_=_NextPart_001_01C5240D.2CB8F750 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Message</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"=
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV><SPAN class=3D421582418-08032005><FONT face=3DArial color=3D#0000ff=20 size=3D2> It is a new site so I'll give them slack ther= e.=20 However our corporate counsel had <!--StartFragment --><FONT=20 face=3D"Times New Roman" color=3D#000000 size=3D3> <FONT face=3DArial col= or=3D#0000ff=20 size=3D2>apoplexy when he saw the license terms. Particularly the grantin= g access=20 to books, records and facilities. </FONT></FONT></FONT></SPAN></DIV> <DIV><SPAN class=3D421582418-08032005><FONT size=3D2></FONT></SPAN> = </DIV> <DIV><SPAN class=3D421582418-08032005><FONT size=3D2>You will, from time = to time and=20 as requested by Sourcefire, provide assurances to Sourcefire that you are= using=20 the VRT Certified Rules consistent with a Permitted Use, and you grant=20 Sourcefire access, at reasonable times and in a reasonable manner, to the= VRT=20 Certified Rules in your possession or control, and to your books, records= and=20 facilities to permit Sourcefire to verify appropriate use of the VRT Cert= ified=20 Rules and compliance with this Agreement.</DIV></FONT></SPAN> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV></DIV> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft><= FONT=20 face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20 snort-users-admin () lists sourceforge net=20 [mailto:snort-users-admin () lists sourceforge net] <B>On Behalf Of </B>Ma= rc=20 Hering<BR><B>Sent:</B> Tuesday, March 08, 2005 1:20 PM<BR><B>To:</B>=20 snort-users () lists sourceforge net<BR><B>Subject:</B> [Snort-users] My=20 Experience with the new Sourcefire VRT rules..<BR><BR></FONT></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,= =20 </FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I kno= w there has=20 been a lot of debate over the new VRT Rules and licensing methods from=20 Sourcefire. I was staying on the sidelines due to my relative new= ness to=20 Snort in general, but now that I have had some interaction with the new= =20 website I wanted to let everyone know my experiences.. This is ju= st what=20 happened to me, and I am not trying to start any flame wars...so if you= agree=20 with me then great, if you don't agree with me then great!</FONT></SPAN=
</DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Let m= e start out=20 by saying that I personally don't have a problem with what SF is doing,= =20 After all, if I didn't want to pay I can still get the rules 5 days lat= er for=20 free or write my own. but since I need the rules pretty= fast=20 (and I am not the best at writing rules..) I was ok with paying&nb= sp;the=20 subscription fee. So I mosey on over to snort.org and = try to=20 sign up. </FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,= all I can=20 say is that if you are like me and don't mind paying the subscription,=20 then GOOD LUCK!! Finding the pricing is damn near impossible= , and=20 when you follow the link to even sign up, it tries to take you to = a=20 secure site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it= =20 doesn't protect snort.ort it is for sourcefire.com) t= hen=20 when I get to the signup page, firefox reports that this site is not se= cure at=20 all (even though it says https, there is no encryption going on) Yean I= 'm=20 gonna transmit info plaintext..NOT! And still no mention of= how=20 much it costs until after you create an account..... Oh and for a= ll you=20 ACID users out there, I just found out that you can't do a rule lookup = anymore=20 even if you are a subscriber ( In their defense, they DO say the r= ule=20 lookup function is forthcoming and I am sure some clever person will wr= ite a=20 patch eventually)</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005></SPAN><SPAN=20 class=3D038145717-08032005><FONT face=3DArial size=3D2></FONT></SPAN>&n= bsp;</DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I com= pletely=20 understand why Sourcefire is changing the way the rules are distributed= , and I=20 support them in it after all, they do deserve to get paid for hard work= ,=20 however if they are going to make a change like this that affects the w= hole=20 snort community, then I would request that they at least make sure that= =20 everything works before they put it live!</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2>Thanks!</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2></= rant=20 mode></FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C5240D.2CB8F750-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help Jan Andreasson (Mar 08)