Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?

[Joel Esler <jesler () sourcefire com>]

On Mar 18, 2011, at 8:39 PM, evilghost () packetmail net wrote:
> On 03/18/11 19:23, Jason Brvenik wrote:
> > Make sense? What's missing?
>
> Performance degradation, elimination of false positives/false negatives as the
> Internet and applications evolve, etc.
>
> If an improvement is made, and deemed and improvement, it makes sense to include
> it into ET/VRT, or vice versa; remember these are community/GPL rules and not
> VRT IP.

Let's refer to these as "GPL rules" to avoid confusion with the "community" set that Sourcefire was producing before 
the Snort.org redesign.


> There are two ET sets, open, and open-nogpl, with the open set including GPL
> rules overlapping with the VRT community rules.  There are organizations which
> only run ET, so inclusion of the gpl rules in the 'open' set makes sense.  For
> dual-subscribers (ET & VRT) the 'open-nogpl' rules make sense.

I agree with Jason's suggestion that if ET wants to use the rules, then re sid them, using the original SID as a 
reference.  Heck use reference:url,www.snort.org<whatever the link is to our documentation>;  I agree with 
non-duplication of the sids.

> It was decided to not change the SIDs to avoid performance degradation, lack of
> continuity in the GPL rules, etc.  So, if the VRT team makes changes to the GPL
> rules we'd (ET [1]) appreciate the updates.  Conversely, if we (ET [1]) make
> changes we'd like to submit these to VRT as well, and come to an agreement for
> the sake of uniformity.

I have an idea for that, but I am not going to volunteer it publically until I discuss it with Sourcefire internally to 
make sure we can do it.  If ET would like to submit changes, I encourage them to do so.  The OSSRC was formed to deal 
exactly with this issue, however, it seems as if not only the OSSRC has fallen off, but the communities that formed it 
have come up with different goals.

For example, detection was supposed to be unique.  However, now, there are rules that cover the same "things" in both 
rulesets.  OSSRC was there to manage duplication of this kind of thing and the transition of rules from the ET ruleset 
over to VRT.  It's obvious to me that isn't going to happen anymore.  Ref: ETPRO.

> [1] I should say I am a ET community participant only and have no profit to
> derive from my participation.  I'm actually speaking presumptuously for ET, but
> I think there's a desire in cooperation between both organizations.  Just
> bringing you up to speed.

The Snort community is a big world.  Getting a lot bigger recently (I've seen registration and traffic increase).  
Input from all forms is good.


--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net
Twitter: @snort


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users