Snort mailing list archives
Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 1 Dec 2011 17:24:02 -0500
I'd prefer to keep the discussion on the list it started on. Thanks for the offer. I've contemplated responding to this thread. However, I feel that any way that I respond to point out the merits and differences in between the rulesets will just be seen as a flame war. We've done this before, and I am not about to do it again. I've contributed to both rulesets, I know how they both work, and I'm probably the only person that does. I will correct an incorrect statement with my own statement that we haven't released any closed GID 3 rules since May of 2011. All of our rules have been open since then. In fact, we've went back through and opened up the vast majority of the GID rules that we were allowed to do so to. Anything else I say I think will be misconstrued as "someone from the VRT pouncing on ET", even though I'm both a member of the VRT and the OpenSource Community Manager. If the facts are wanted, I'd be glad to discuss, but I am concerned about the above. Joel On Dec 1, 2011, at 4:56 PM, Matthew Jonkman wrote:
Thanks for the good words. Both rulesets are quite good, just different focus for each, and different platforms supported. I think it'll cause much more heartburn if I were to explain my percetion of the differences in the rulesets on the sourcefire lists here, so if no one minds I'll take that over to the emerigng-sigs list and we can talk about it more there. Matt On Dec 1, 2011, at 4:50 PM, L0rd Ch0de1m0rt wrote:Shawn, this is a good question. Simply put, the VRT ruleset is geared more toward exploits and ET is geared more toward malware and, obviously, emerging threats. That said, there is a lot of overlap. My understanding is that a lot of effort went in to the ET ruleset (open and pro) before the ET Pro launch and some of that was adding rules so the ET ruleset covered a lot of what VRT covered as well. I could be wrong about that (I'm not officially affiliated with VRT or Emerging Threats by the way). The ET Pro ruleset does have coverage for stuff like the monthly Microsoft vulnerabilities and more. I believe they have access to the MS patch pre-release data MS gives to security companies (this is one reason why ET Pro requires a NDA I believe). This, along with the support, active development, and QA is why ET Pro is not free. Speaking of NDA, there is one of those but the rules are still all text based which is nice because you can get a better idea of why a rule fired, unlike some VRT GID3 rules that are closed source. I guess ET just expects you to abide by the NDA and they only do business with legit companies. Personally, I stopped updating the VRT rules a while back. The rules were not very efficient or timely enough for me. I still run a few older ones I find useful from time to time. This is just my 2 cents; Matt could probably give you a more detailed and better answer; I'll include him on this response. You may also wish to ask the emerging-sigs mailing list (http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs) for people's opinions. Cheers, -L0rd Ch0de1m0rt On 12/1/11, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:I've been curious what the differences between the ET paid rules and the VRT subscription rules are? I'm hoping this can be discussed without opening a huge flame war. :) For background, I'm currently running the VRT subscription rules with the ET free rules. For instance, the VRT is part of the MS program that releases vuln data early (and typically these rules are .so rules). Does ET get this data? How do they deal with non-disclosure, since I think all the rules are text based? For the most part, is everything in the VRT ruleset covered in the ET ruleset? Could I drop VRT for instance and just run ET pro? -----Original Message----- From: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt () gmail com] Sent: Thursday, December 01, 2011 1:06 PM To: Joel Esler Cc: snort-sigs () lists sourceforge net; snortusers () googlegroups com; snort-users () lists sourceforge net Users; Snort-Signatures Subject: Re: [Snort-users] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Thanks for the reminder, Joel. Those who can't upgrade to a newer or newest version of Snort, or wish to use a different ruleset alongside, or instead of the VRT set, should definitely check out Emerging Threats Pro -- http://www.emergingthreatspro.com/. The Emerging Threats Open rules are free and updated almost daily to respond to the latest threats and I have found them to be quite effective, timely, and properly QAed. There are also some you can pay for as well (cheaper than VRT I think); see http://www.emergingthreatspro.com/products/ for details. Emerging Threats Open/Pro supports rules for Snort 2.4.0 up to the current version, as well as rules optimised for Suricata (http://www.openinfosecfoundation.org/index.php/download-suricata). Personally, I like https://rules.emergingthreatspro.com/open-nogpl/. That said, if you are still running an older version of Snort, I highly encourage you to update since there are a lot of new and extremely helpful features in newer versions that allow for more accurate and efficient rules. Cheers, -L0rd Ch0de1m0rt On 11/28/11, Joel Esler <jesler () sourcefire com> wrote:As a reminder, today's rule release marks the last rule release for Snort 2.8.6.1: http://blog.snort.org/2011/11/vrt-rule-update-for-11282011.html Please upgrade to the current version of Snort (2.9.1.2) available at http://www.snort.org/snort-downloads Our EOL policy and dates of EOL for Snort versions can be found here: http://www.snort.org/vrt/rules/eol_policy Thanks! -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!---------------------------------------------------- Matt Jonkman Emerging Threats Pro Open Information Security Foundation (OISF) Phone 866-504-2523 x110 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ----------------------------------------------------
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.8.6.1 EOL Reminder Joel Esler (Nov 28)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder L0rd Ch0de1m0rt (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Jefferson, Shawn (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder L0rd Ch0de1m0rt (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 01)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Jeff Kell (Dec 01)
- Re: [Emerging-Sigs] [Snort-users] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 01)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Nathan (Dec 02)
- Re: [Emerging-Sigs] [Snort-users] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Jefferson, Shawn (Dec 01)
- Re: [Snort-sigs] [Emerging-Sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 02)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-Sigs] Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 02)
- Re: [Emerging-Sigs] [Snort-Sigs] Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder L0rd Ch0de1m0rt (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Mike Lococo (Dec 01)