Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?

[Martin Roesch <roesch () sourcefire com>]

Answering inline.

On Mon, Mar 21, 2011 at 11:43 AM, evilghost () packetmail net
<evilghost () packetmail net> wrote:
> On 03/21/11 10:26, Martin Roesch wrote:
> > Am I missing a case here?
>
> Yeah, this is an obtuse approach.  There are two ET rule packs, Open and
> Open-NoGPL.  They are just that, users of VRT who get the GPL rules would use
> Open-NoGPL.  ET-only folks would use Open, which would include the GPL rules.
>
> I don't understand the point behind re-SID and duplication, patching, etc.  If
> the changes made to a "ET" GPL rule make sense, why wouldn't VRT want to
> consider it for inclusion/update?  Vice versa.

Basically the SIDs were created for machine processing as much as they
exist for people, we don't want to have one SID mean two different
things and it's easy to change SIDs.  There are SIEM and other event
processing systems that rely completely on the SID numbers having a
discrete meaning so that any correlation they might do is correct and
consistent.  I'm not saying that they *will* become inconsistent down
the road but they *might* so just trying to think ahead it seems
easiest to me to just have a separate SID-space if they are to be,
effectively, forked.

> There's no point to fork when adjustments are made to enhance detection, improve
> performance, or reduce false positives.  Why wouldn't VRT want an improved rule?

I suppose that depends on your definition of "improved". :)  Or maybe
I should say not all rules are improved equally or something.  Anyway,
the issue on accepting a patch that improves the efficacy of the rule
at the cost of ruinous impact on performance (as an example) could be
one case where VRT wouldn't accept a patch.  I'm sure there are other
cases where similar situations could arise.

> Do you really suggest we ask dual-subscribers (VRT, and ET) to run two sets of
> the same rule, one stagnated and legacy, the other an updated re-SID of the same
> rule?

No, not really.  The ideal outcome from my standpoint is to have one
rule to detect a given attack and the canonical GPL set to remain the
canonical set.  I think case 2 that I described in my last post
reflects the "best" way to achieve that.


Marty

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users