Snort mailing list archives
Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Sat, 19 Mar 2011 10:41:25 -0400
I would like uniformity. I think we would agree on most of the changes in the gpl rules between ET and VRT. But there will be issues I suspect: 1. Speed of updates. ET Open and Pro rulesets update about daily. You submit something it's changed in 24 hours and published. VRT is weekly at best (still astounds me that people accept that... would AV updates be ok that slow? Why IDS?). I don't think this community will work well with a week or longer update cycle, especially if we're waiting for approval from vrt to make a change in a gpl sig. We just operate differently, and I don't see easy collaboration there. If we make a change on our schedule and vrt disagrees a week later we have unnecessary overhead and flipflop. 2. We've been hashing over collaboration between vrt and SF and ET for what, 7 years now? Every time it's come down to SF saying no, we can't do that because it's not in our commercial interest. I frankly just don't believe it will be any different this time (try number 62). I know you're sincere about wanting to collaborate Joel and Jason, but I just don't believe anything can come of it from above. We all get along great at the personal level, the VRT team and the ET team and communities are both great people at the top of their games that help each other when needed. But when the approval process of SF comes into play it always gets stopped. So we're best off with informal agreements as we've been doing for years. 3. Lets be clear here. The ET ruleset is NOT here for VRT to pick the best of and consume making VRT some kind of uber-ruleset and then we'll drop whatever VRT consumes out of the ET ruleset. The ET ruleset is NOT a secondary or sub-par ruleset. This ruleset stands on it's own, it's independent, and frankly it's better than VRT because of the community that runs it and the speed at which we cover malware. OSSRC may have been appropriate 5 years ago, but those days are gone. So lets talk on an equal playing field or not at all. 4. The ET Open ruleset will continue to flourish as the community stays involved and keeps making it great, and we keep taking and pushing the intel they share in a timely manner. It'll also flourish as the ET Pro ruleset remains a commercial success to support the open ruleset which also gives folks one place to get all the mainstream vulns plus the malware without duplication. So at the end of the day we are competitive. Closer collaboration will very likely not sit well with the SF management team. So why are we pretending it might? 5. We have many more versions of the rules available, including Suricata and many more back versions of Snort. So if there is a master set of the rules to be maintained it should be here, not at VRT. VRT can then pull the limited versions they publish. That makes perfect logical sense, so lets talk about that. We will take whatever changes VRt proposes and integrate them within 24 hours, and it'll still be within the update cycle of vrt. And you'll have many more versions available to you should you choose to quit end of life-ing active products. I realize I've come off a bit dick-ish the last couple days. Perhaps I'm ovulating. But the above is how I see things, and I don't believe this time will be different with sourcefire. ("Please come back baby, I swear won't hit you... again..." ) I'm just not buying it. Let this be VERY clear: I am not impuning the character or community spirit of Joel or Jason or any of the VRT guys. You're all great guys and I enjoy working with you all. But you work for the largest security vendor in the space who's only goal is to get more market share to jack up the share price while everyone prepares to cash out, or get yourselves bought by one of the big 5. Having a larger and faster moving ruleset doesn't get that market share (A long list of cve's covered does, so malware isn't a priority) so I am dubious there will be any movement here. But at the end of the day I'm just one guy in the ET community, and this community does what this community as a whole wants. So I've laid out my thoughts on collaboration, and I don't believe it'll work unless we maintain that repository since we produce more versions and platforms. Thoughts? This is the decision of the ET community, so please weigh in! I'm sure some will disagree and lambaste me (Paul, where are ya?) but I want to hear it all. We'll decide what to do together. Matt On Mar 18, 2011, at 7:50 PM, evilghost () packetmail net wrote:
* PGP Signed by an unverified key: 3/18/11 at 7:50:50 PM On 03/18/11 18:45, Jason Brvenik wrote:Define "them" please Is your assertion that users don't need to run VRT and ET Rules sets?He's talking about GPL duplication across both the VRT and ET sets, there's no point to run true duplicated rules, matter of fact it results in SID collision and breakage. So, if ET is making changes to these GPL rules, hopefully they'll be committed into the VRT set (if they're not deprecated) so that there is uniformity across both rule sets. -- It has been said that "hate" is a powerful emotion, perhaps that's why I'm so strong. -evilghost * evilghost () packetmail net <evilghost () packetmail net> * 0xEEEB1387 - Unverified(L)
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?, (continued)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Crusty Saint (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Weir, Jason (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Message not available
- Message not available
- Message not available
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Holste (Mar 20)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Roesch (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 19)