Snort mailing list archives
Re: Licensing
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 8 Mar 2005 10:57:52 -0500
One other point: We run the rules through an extensive QA process to verify that they function correctly and that the entire rest of the rule set functions properly after integration (i.e. a full regression test). We run on the order of 6.8 million tests every time we QA a new rule set to verify that the rules still fire as they should don't fire when they shouldn't. We also pay attention to performance when we develop rules so that our gigabit sensors don't turn into 100Mb sensors, it's entirely possible to write PCRE rules that take *seconds* to run per packet...
Additionally, we have the capability in house to develop rules for vulnerabilities that don't have public exploits available in the wild. A good example of this was the LSASS.EXE vulnerability that turned into the Sasser worm. We got notification of the vulnerability along with the rest of the world on Microsoft Tuesday and quickly reverse engineered the vulnerability and generated rules. We had rules available that could pick up almost every variant of Sasser a week before the worm hit. A more recent example is all the updates that we've added to netbios.rules for things like ms05-010 and ms05-011.
We have an extensive research and testing capability that we've developed over the years here and it's translating directly into high quality rules that allow Snort to have accurate detection while retaining high performance capabilities in addition to having rules that are available in advance of exploits. That's the value associated with the VRT rules today and we intend to bring more to the table as the service matures.
-Marty
On Mar 8, 2005, at 2:54 AM, Lee Clemens wrote:
I assume, by "the rest", you mean the community rules? My understanding is that the VRT rules are the ones produced and looked over by SF and releasedwith each major Snort version (Snort point x._._). Getting the newer versions basically means you will have rules that are more current withongoing network/internet activities/vulnerable/worms/viruses that are outthere at that given time.An example might be if virus.X comes out, new rules would be written and released by VRT to detect it (possibly long) before a new major version ofSnort may be released.I hope that helps clarify your question...if it doesn't please let me know more specifically what your question is. Basically, it gives you advanceddetection capabilities... --Lee -----Original Message----- From: snort-users-admin () lists sourceforge net[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Florin AndreiSent: Tuesday, March 08, 2005 12:15 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Licensing On Mon, 2005-03-07 at 21:53 -0500, Martin Roesch wrote:3) VRT rules developed and QA'd at Sourcefire will be available for commercial redistribution if the commercial entity acquires a license from Sourcefire.Can someone explain to a guy who used Snort long time ago but didn't keep in touch - what are the VRT rules and how are they different from the rest? I know they're QA'd by SF, i wonder from a practical standpoint - what do they give me, a Snort user, that the other rules don't? -- Florin Andrei http://florin.myip.org/ ------------------------------------------------------- SF email is sponsored by - The IT Product GuideRead honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product GuideRead honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. - http://www.sourcefire.comSnort: Open Source Intrusion Detection and Prevention - http://www.snort.org
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Licensing Rowland, Krisa W ERDC-ITL-MS Contractor (Mar 07)
- Message not available
- Re: Licensing Matt Kettler (Mar 07)
- Re: Licensing Peter J Manis (Mar 07)
- Re: Licensing Matt Kettler (Mar 08)
- Re: Licensing Bob Walder (Mar 08)
- Re: Licensing Matt Kettler (Mar 07)
- Message not available
- Re: Licensing Martin Roesch (Mar 07)
- Re: Licensing Peter J Manis (Mar 07)
- Re: Licensing Martin Roesch (Mar 08)
- Re: Licensing Florin Andrei (Mar 07)
- RE: Licensing Lee Clemens (Mar 07)
- Re: Licensing Martin Roesch (Mar 08)
- Re: Licensing Peter J Manis (Mar 07)
- Re: Licensing Jose Maria Lopez Hernandez (Mar 08)
- <Possible follow-ups>
- RE: Licensing SRH-Lists (Mar 08)
- RE: Licensing Snort (Mar 08)