Snort mailing list archives
Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 18 Mar 2011 21:14:05 -0400
On Mar 18, 2011, at 8:39 PM, evilghost () packetmail net wrote:
On 03/18/11 19:23, Jason Brvenik wrote:Make sense? What's missing?Performance degradation, elimination of false positives/false negatives as the Internet and applications evolve, etc. If an improvement is made, and deemed and improvement, it makes sense to include it into ET/VRT, or vice versa; remember these are community/GPL rules and not VRT IP.
Let's refer to these as "GPL rules" to avoid confusion with the "community" set that Sourcefire was producing before the Snort.org redesign.
There are two ET sets, open, and open-nogpl, with the open set including GPL rules overlapping with the VRT community rules. There are organizations which only run ET, so inclusion of the gpl rules in the 'open' set makes sense. For dual-subscribers (ET & VRT) the 'open-nogpl' rules make sense.
I agree with Jason's suggestion that if ET wants to use the rules, then re sid them, using the original SID as a reference. Heck use reference:url,www.snort.org<whatever the link is to our documentation>; I agree with non-duplication of the sids.
It was decided to not change the SIDs to avoid performance degradation, lack of continuity in the GPL rules, etc. So, if the VRT team makes changes to the GPL rules we'd (ET [1]) appreciate the updates. Conversely, if we (ET [1]) make changes we'd like to submit these to VRT as well, and come to an agreement for the sake of uniformity.
I have an idea for that, but I am not going to volunteer it publically until I discuss it with Sourcefire internally to make sure we can do it. If ET would like to submit changes, I encourage them to do so. The OSSRC was formed to deal exactly with this issue, however, it seems as if not only the OSSRC has fallen off, but the communities that formed it have come up with different goals. For example, detection was supposed to be unique. However, now, there are rules that cover the same "things" in both rulesets. OSSRC was there to manage duplication of this kind of thing and the transition of rules from the ET ruleset over to VRT. It's obvious to me that isn't going to happen anymore. Ref: ETPRO.
[1] I should say I am a ET community participant only and have no profit to derive from my participation. I'm actually speaking presumptuously for ET, but I think there's a desire in cooperation between both organizations. Just bringing you up to speed.
The Snort community is a big world. Getting a lot bigger recently (I've seen registration and traffic increase). Input from all forms is good. -- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net Twitter: @snort ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?, (continued)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Crusty Saint (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Weir, Jason (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Message not available
- Message not available
- Message not available
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Holste (Mar 20)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 21)