Snort mailing list archives
Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 21 Mar 2011 12:07:53 -0400
Answering inline. On Mon, Mar 21, 2011 at 11:43 AM, evilghost () packetmail net <evilghost () packetmail net> wrote:
On 03/21/11 10:26, Martin Roesch wrote:Am I missing a case here?Yeah, this is an obtuse approach. There are two ET rule packs, Open and Open-NoGPL. They are just that, users of VRT who get the GPL rules would use Open-NoGPL. ET-only folks would use Open, which would include the GPL rules. I don't understand the point behind re-SID and duplication, patching, etc. If the changes made to a "ET" GPL rule make sense, why wouldn't VRT want to consider it for inclusion/update? Vice versa.
Basically the SIDs were created for machine processing as much as they exist for people, we don't want to have one SID mean two different things and it's easy to change SIDs. There are SIEM and other event processing systems that rely completely on the SID numbers having a discrete meaning so that any correlation they might do is correct and consistent. I'm not saying that they *will* become inconsistent down the road but they *might* so just trying to think ahead it seems easiest to me to just have a separate SID-space if they are to be, effectively, forked.
There's no point to fork when adjustments are made to enhance detection, improve performance, or reduce false positives. Why wouldn't VRT want an improved rule?
I suppose that depends on your definition of "improved". :) Or maybe I should say not all rules are improved equally or something. Anyway, the issue on accepting a patch that improves the efficacy of the rule at the cost of ruinous impact on performance (as an example) could be one case where VRT wouldn't accept a patch. I'm sure there are other cases where similar situations could arise.
Do you really suggest we ask dual-subscribers (VRT, and ET) to run two sets of the same rule, one stagnated and legacy, the other an updated re-SID of the same rule?
No, not really. The ideal outcome from my standpoint is to have one rule to detect a given attack and the canonical GPL set to remain the canonical set. I think case 2 that I described in my last post reflects the "best" way to achieve that. Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody?, (continued)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Martin Holste (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Joel Esler (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Nigel Houghton (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Joel Esler (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Nigel Houghton (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Joel Esler (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Nigel Houghton (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? waldo kitty (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Joel Esler (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Nigel Houghton (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Roesch (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 21)
- Message not available
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Wallace (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Weir, Jason (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Wallace (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them?Nobody? Weir, Jason (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jeff Kell (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 22)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Wallace (Mar 21)