Snort mailing list archives

Previous By Date Next
Previous By Thread Next

help

From: "Jan Andreasson" <Jan () bearcom se>
Date: Tue, 8 Mar 2005 19:36:43 +0100
 

-----Ursprungligt meddelande-----
Från: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] För 
snort-users-request () lists sourceforge net
Skickat: den 8 mars 2005 19:33
Till: snort-users () lists sourceforge net
Ämne: Snort-users digest, Vol 1 #4990 - 13 msgs

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Licensing (Matt Kettler)
   2. Re: Snort Center 2.x (Alex Kirk)
   3. Re: tcp flood (Matt Kettler)
   4. Now that I have my oink code (Paul Schmehl)
   5. RE: Now that I have my oink code (Joshua Berry)
   6. Snort rule lookup from ACID broken?? (Marc Hering)
   7. Re: Snort rule lookup from ACID broken?? (=?ISO-8859-1?Q?Geffrey_Vel=E1squez?=)
   8. Re: Now that I have my oink code (Paul Schmehl)
   9. RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? - Email found in subject (Marc Hering)
  10. RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken
       ?? - Email found in subject (SRH-Lists)
  11. My Experience with the new Sourcefire VRT rules.. (Marc Hering)
  12. RE: My Experience with the new Sourcefire VRT rules.. (Scott Morris)

--__--__--

Message: 1
Date: Tue, 08 Mar 2005 11:13:13 -0500
To: "Peter J Manis" <pmanis () comcast net>,
   "Rowland, Krisa W ERDC-ITL-MS Contractor" <Krisa.W.Rowland () erdc usace army mil>,
   <snort-users () lists sourceforge net>
From: Matt Kettler <mkettler () evi-inc com>
Subject: Re: [Snort-users] Licensing

At 09:11 PM 3/7/2005, Peter J Manis wrote:

I think you misinterpreted Marty's email.  Sourcefire doesnt allow you 
to bundle VRT rules in a commercial product no matter if you have a 
subscription or not, at least thats what the license says.


I didn't say a subscription would allow commercial redistribution. I said you had to pay in order to do commercial 
redistribution. i.e.: you need to obtain a commercial license from SF.

Basically there are two situations that involve you having to pay money of some amount to Sourcefire for the VRT rules. 
1) if you want them fast you need a subscription 2) if you want to bundle them you need a commercial distribution 
license.

Obviously 1) much cheaper, and 2) is subject to negotiations.





--__--__--

Message: 2
Date: Tue, 08 Mar 2005 11:32:08 -0500
From: Alex Kirk <alex.kirk () sourcefire com>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Center 2.x

Jason,

I went out and got the latest copy of Snortcenter from Sourceforge (snortcenter-release.tar.gz from 2004-12-29, to be 
precise) when I saw this, so I could help you get it fixed. You'll at least need to update $snortrules_url in 
config.php to add an Oinkcode and reflect the new location, as discussed on this list by those using Oinkmaster. Just 
for clarification, once you register -- which is free and easy -- you can generate an Oinkcode for each IP that you 
need to download rules from with a very simple form in the User Preferences section of the new site.

In cases where forced downloading is not enabled (i.e. there is no "force" parameter in the URI for db_pars.php, and 
thus if(!$force) succeeds on line 32 of that file), you'll also need to have an updated
MD5 download path. At the moment, we don't have a
snortrules-snapshot-2.3.tar.gz.md5 file, but that should be fixed shortly.

Alex Kirk
Research Analyst
Sourcefire, Inc.


Hello,

For all of you that are using Snortcenter still the new snort website 
has totally broken all rule import functionality.  I'm looking at the 
different rule sets and what the requirements are for getting them and 
what information needs to be passed to the website.  But at this time 
I'm not sure what needs to be done to get it working again.

Jason Alexander


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid 
reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--__--__--

Message: 3
Date: Tue, 08 Mar 2005 11:34:16 -0500
To: SN ORT <snort_on_acid () yahoo com>, snort-users () lists sourceforge net
From: Matt Kettler <mkettler () evi-inc com>
Subject: Re: [Snort-users] tcp flood

At 09:51 AM 3/8/2005, SN ORT wrote:

Yeah, any IoS Cisco that is, including the new IoS for PiX. Thanks.


Of course, the new OS for the PiX isn't released yet, so it doesn't do the OP any good. They have a public deta sheet 
so we can plan for it, but that's all that's in public release. (PiX OS 7.0 is in beta, but that's not available to 
normal users with support contracts, you need a separate level of access and an NDA for the beta)

also,minor point: technically it's PiX OS, not IOS. I only point it out because it's one common way to distinguish the 
product lines.. "It's an IOS based firewall" explicitly means it's not a PiX, but a router with the FWFS added on.




--__--__--

Message: 4
Date: Tue, 08 Mar 2005 11:39:41 -0600
From: Paul Schmehl <pauls () utdallas edu>
Reply-To: Paul Schmehl <pauls () utdallas edu>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Now that I have my oink code

When will it work?  Right now it doesn't.  How much time lag is there before the oink code allows me to d/l the ruleset?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


--__--__--

Message: 5
Subject: RE: [Snort-users] Now that I have my oink code
Date: Tue, 8 Mar 2005 11:42:02 -0600
From: "Joshua Berry" <jberry () PENSON COM>
To: "Paul Schmehl" <pauls () utdallas edu>,
        <snort-users () lists sourceforge net>

I was able to download immediately.  I just had to figure out what IP my internal system was NATting to outbound.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paul Schmehl
Sent: Tuesday, March 08, 2005 11:40 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Now that I have my oink code

When will it work?  Right now it doesn't.  How much time lag is there=20 before the oink code allows me to d/l the 
ruleset?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users


--__--__--

Message: 6
Date: Tue, 8 Mar 2005 12:45:46 -0500
From: "Marc Hering" <mhering () reval com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] Snort rule lookup from ACID broken??

This is a multi-part message in MIME format.

------_=_NextPart_001_01C52406.A8584727
Content-Type: text/plain;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

Hey Guys,
Is it just me, or since they changed the website, If I get an alert in ACID, and I click on "Snort" which usually takes 
me to a description of the rule that was violated..Now I get "Oink page not found"  Is this just me or is this 
universal????
=20
=20
<M>

------_=_NextPart_001_01C52406.A8584727
Content-Type: text/html;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type 
content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR></HEAD> <BODY> 
<DIV><SPAN class=3D641204417-08032005><FONT face=3DArial size=3D2>Hey=20 Guys,</FONT></SPAN></DIV> <DIV><SPAN 
class=3D641204417-08032005><FONT face=3DArial size=3D2>Is it = just me, or=20 since they changed the website, If I get 
an alert in ACID, and I click = on=20 "Snort" which usually takes me to a description of the rule that was=20 
violated..Now I get "Oink page not found"&nbsp; Is this just me or is = this=20 universal????</FONT></SPAN></DIV> 
<DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2>&lt;M&gt;</FONT></SPAN></DIV></BODY></HTML>

------_=_NextPart_001_01C52406.A8584727--


--__--__--

Message: 7
Date: Tue, 08 Mar 2005 12:49:23 -0500
From: =?ISO-8859-1?Q?Geffrey_Vel=E1squez?= <gvelasquez () minag gob pe>
To: Marc Hering <mhering () reval com>
CC:  snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort rule lookup from ACID broken??

Yes! there is no more access using the url:

http://www.snort.org/snort-db/sid.html?sid=NUMBER



Marc Hering escribió:


Hey Guys,
Is it just me, or since they changed the website, If I get an alert in 
ACID, and I click on "Snort" which usually takes me to a description 
of the rule that was violated..Now I get "Oink page not found"  Is 
this just me or is this universal????
 
 
<M>






--__--__--

Message: 8
Date: Tue, 08 Mar 2005 11:55:07 -0600
From: Paul Schmehl <pauls () utdallas edu>
Reply-To: Paul Schmehl <pauls () utdallas edu>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Now that I have my oink code

--On Tuesday, March 08, 2005 11:39:41 AM -0600 Paul Schmehl <pauls () utdallas edu> wrote:


When will it work?  Right now it doesn't.  How much time lag is there 
before the oink code allows me to d/l the ruleset?


Never mind......

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


--__--__--

Message: 9
Subject: RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? - Email found in subject
Date: Tue, 8 Mar 2005 12:54:34 -0500
From: "Marc Hering" <mhering () reval com>
To: =?iso-8859-1?Q?Geffrey_Vel=E1squez?= <gvelasquez () minag gob pe>
Cc: <snort-users () lists sourceforge net>

Well that sucks............Does anyone know if there is another = Interface like that one anymore???? It saves me a lot 
of work!!!



Thanks!=20

-----Original Message-----
From: Geffrey Vel=E1squez [mailto:gvelasquez () minag gob pe]=20
Sent: Tuesday, March 08, 2005 12:49 PM
To: Marc Hering
Cc: snort-users () lists sourceforge net
Subject: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? =
- Email found in subject

Yes! there is no more access using the url:

http://www.snort.org/snort-db/sid.html?sid=3DNUMBER



Marc Hering escribi=F3:


Hey Guys,
Is it just me, or since they changed the website, If I get an alert in 
=



ACID, and I click on "Snort" which usually takes me to a 
description=20 of the rule that was violated..Now I get "Oink page not 
found"  Is=20 this just me or is this universal????
=20
=20
<M>






--__--__--

Message: 10
From: SRH-Lists <giermo () 333tech com>
To: 'Marc Hering' <mhering () reval com>, =?iso-8859-1?Q?Geffrey_Vel=E1squ?=
        =?iso-8859-1?Q?ez?= <gvelasquez () minag gob pe>
Cc: snort-users () lists sourceforge net
Subject: RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken
        ?? - Email found in subject
Date: Tue, 8 Mar 2005 11:59:33 -0600 



Yes! there is no more access using the url:
=20
http://www.snort.org/snort-db/sid.html?sid=3DNUMBER
=20
=20
=20
Marc Hering escribi=F3:
=20

Hey Guys,
Is it just me, or since they changed the website, If I get=20

an alert in=20

ACID, and I click on "Snort" which usually takes me to a=20

description=20

of the rule that was violated..Now I get "Oink page not found"  
Is=20 this just me or is this universal????
=20
=20
<M>


It is in the works:
http://www.snort.org/rules/search.html

<quote>
We are currently developing an enhanced rule search engine, which will be available shortly. We apologize for any 
inconvenience this may = cause.
</quote>

-steve



--__--__--

Message: 11
Date: Tue, 8 Mar 2005 13:19:31 -0500
From: "Marc Hering" <mhering () reval com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] My Experience with the new Sourcefire VRT rules..

This is a multi-part message in MIME format.

------_=_NextPart_001_01C5240B.5F3CA0AD
Content-Type: text/plain;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

=20
Well,=20
I know there has been a lot of debate over the new VRT Rules and licensing methods from Sourcefire.  I was staying on 
the sidelines due to my relative newness to Snort in general, but now that I have had some interaction with the new 
website I wanted to let everyone know my experiences..  This is just what happened to me, and I am not trying to start 
any flame wars...so if you agree with me then great, if you don't agree with me then great!
=20
Let me start out by saying that I personally don't have a problem with what SF is doing,  After all, if I didn't want 
to pay I can still get the rules 5 days later for free or write my own.  but since I need the rules pretty fast (and I 
am not the best at writing rules..) I was ok
with paying the subscription fee.   So I mosey on over to snort.org and
try to sign up. =20
=20
Well, all I can say is that if you are like me and don't mind paying the subscription, then GOOD LUCK!!  Finding the 
pricing is damn near impossible, and when you follow the link to even sign up, it tries to take you to a secure site 
THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it doesn't protect snort.ort  it is for sourcefire.com) then 
when I get to the signup page, firefox reports that this site is not secure at all (even though it says https, there is 
no encryption
going on) Yean I'm gonna transmit info plaintext..NOT!   And still no
mention of how much it costs until after you create an account.....  Oh and for all you ACID users out there, I just 
found out that you can't do a rule lookup anymore even if you are a subscriber ( In their defense, they DO say the rule 
lookup function is forthcoming and I am sure some clever person will write a patch eventually) =20 I completely 
understand why Sourcefire is changing the way the rules are distributed, and I support them in it after all, they do 
deserve to get paid for hard work, however if they are going to make a change like this that affects the whole snort 
community, then I would request that they at least make sure that everything works before they put it live!
Thanks!
=20
</rant mode>

------_=_NextPart_001_01C5240B.5F3CA0AD
Content-Type: text/html;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type 
content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR></HEAD> <BODY> 
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,=20 </FONT></SPAN></DIV> <DIV><SPAN 
class=3D038145717-08032005><FONT face=3DArial size=3D2>I know = there has=20 been a lot of debate over the new VRT 
Rules and licensing methods from=20 Sourcefire. &nbsp;I was staying on the sidelines due to my relative = newness to=20 
Snort in general, but now that I have had some interaction with the new = website=20 I wanted to let everyone know my 
experiences..&nbsp; This is just what = happened=20 to me, and I am not trying to start any flame wars...so if you 
agree = with me=20 then great, if you don't agree with me then great!</FONT></SPAN></DIV> <DIV><SPAN 
class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Let me = start out by=20 saying that I personally 
don't have a problem with what SF is = doing,&nbsp; After=20 all, if I didn't want to pay I can still get the rules 5 
days later for = free or=20 write my own.&nbsp;&nbsp;but since I need&nbsp;the rules pretty fast = (and I am=20 not the 
best at writing rules..)&nbsp;I was ok with paying&nbsp;the=20 subscription&nbsp;fee.&nbsp;&nbsp; So I mosey on over to 
snort.org and = try to=20 sign up.&nbsp; </FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT 
face=3DArial=20 size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well, = all I can say=20 is that if you are like me 
and don't mind paying the subscription,=20 then&nbsp;GOOD LUCK!!&nbsp; Finding the pricing is damn near impossible, = 
and=20 when you follow the link to even&nbsp;sign up, it tries to take you to a = secure=20 site THAT HAS AN INVALID 
CERTIFICATE! (the cert is valid, but it doesn't = protect=20 snort.ort&nbsp; it is for sourcefire.com)&nbsp;&nbsp; then 
when I get to = the=20 signup page, firefox reports that this site is not secure at all (even = though it=20 says 
https, there is no encryption going on) Yean I'm gonna transmit = info=20 plaintext..NOT!&nbsp;&nbsp; And still no 
mention of how much it costs = until=20 after you create an account.....&nbsp; Oh and for all you ACID users out = 
there,=20 I just found out that you can't do a rule lookup anymore even if you are = a=20 subscriber ( In their 
defense, they DO&nbsp;say the rule lookup function = is=20 forthcoming and I am sure some clever person will write a 
patch=20 eventually)</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005></SPAN><SPAN = 
class=3D038145717-08032005><FONT=20
face=3DArial size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I = completely=20 understand why Sourcefire is 
changing the way the rules are distributed, = and I=20 support them in it after all, they do deserve to get paid for 
hard work, = however=20 if they are going to make a change like this that affects the whole = snort=20 community, then 
I would request that they at least make sure that = everything=20 works&nbsp;before they put it 
live!</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 
size=3D2>Thanks!</FONT></SPAN></DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial = size=3D2>&lt;/rant=20 
mode&gt;</FONT></SPAN></DIV></BODY></HTML>

------_=_NextPart_001_01C5240B.5F3CA0AD--


--__--__--

Message: 12
Subject: RE: [Snort-users] My Experience with the new Sourcefire VRT rules..
Date: Tue, 8 Mar 2005 13:32:25 -0500
From: "Scott Morris" <Scott.Morris () syniverse com>
To: <snort-users () lists sourceforge net>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C5240D.2CB8F750
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=20
    It is a new site so I'll give them slack there. However our corporate counsel had  apoplexy when he saw the license 
terms.
Particularly the granting access to books, records and facilities.=20 =20 You will, from time to time and as requested 
by Sourcefire, provide assurances to Sourcefire that you are using the VRT Certified Rules consistent with a Permitted 
Use, and you grant Sourcefire access, at reasonable times and in a reasonable manner, to the VRT Certified Rules in 
your possession or control, and to your books, records and facilities to permit Sourcefire to verify appropriate use of 
the VRT Certified Rules and compliance with this Agreement.

        -----Original Message-----
        From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Marc Hering
        Sent: Tuesday, March 08, 2005 1:20 PM
        To: snort-users () lists sourceforge net
        Subject: [Snort-users] My Experience with the new Sourcefire VRT rules..
=09
=09
        =20
        Well,=20
        I know there has been a lot of debate over the new VRT Rules and licensing methods from Sourcefire.  I was 
staying on the sidelines due to my relative newness to Snort in general, but now that I have had some interaction with 
the new website I wanted to let everyone know my experiences..  This is just what happened to me, and I am not trying 
to start any flame wars...so if you agree with me then great, if you don't agree with me then great!
        =20
        Let me start out by saying that I personally don't have a problem with what SF is doing,  After all, if I 
didn't want to pay I can still get the rules 5 days later for free or write my own.  but since I need the rules pretty 
fast (and I am not the best at writing rules..) I
was ok with paying the subscription fee.   So I mosey on over to
snort.org and try to sign up. =20
        =20
        Well, all I can say is that if you are like me and don't mind paying the subscription, then GOOD LUCK!!  
Finding the pricing is damn near impossible, and when you follow the link to even sign up, it tries to take you to a 
secure site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it doesn't protect snort.ort  it is for 
sourcefire.com) then when I get to the signup page, firefox reports that this site is not secure at all (even though it 
says https, there is no encryption
going on) Yean I'm gonna transmit info plaintext..NOT!   And still no
mention of how much it costs until after you create an account.....  Oh and for all you ACID users out there, I just 
found out that you can't do a rule lookup anymore even if you are a subscriber ( In their defense, they DO say the rule 
lookup function is forthcoming and I am sure some clever person will write a patch eventually)
        =20
        I completely understand why Sourcefire is changing the way the rules are distributed, and I support them in it 
after all, they do deserve to get paid for hard work, however if they are going to make a change like this that affects 
the whole snort community, then I would request that they at least make sure that everything works before they put it 
live!
        Thanks!
        =20
        </rant mode>

------_=_NextPart_001_01C5240D.2CB8F750
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"=



<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial color=3D#0000ff 
size=3D2></FONT>&nbsp;</DIV> <DIV><SPAN class=3D421582418-08032005><FONT face=3DArial color=3D#0000ff=20 
size=3D2>&nbsp;&nbsp;&nbsp; It is a new site so I'll give them slack ther= e.=20 However our corporate counsel 
had&nbsp;<!--StartFragment --><FONT=20 face=3D"Times New Roman" color=3D#000000 size=3D3> <FONT face=3DArial col= 
or=3D#0000ff=20 size=3D2>apoplexy when he saw the license terms. Particularly the grantin= g access=20 to books, 
records and facilities. </FONT></FONT></FONT></SPAN></DIV>
<DIV><SPAN class=3D421582418-08032005><FONT size=3D2></FONT></SPAN>&nbsp;= </DIV> <DIV><SPAN 
class=3D421582418-08032005><FONT size=3D2>You will, from time = to time and=20 as requested by Sourcefire, provide 
assurances to Sourcefire that you are=  using=20 the VRT Certified Rules consistent with a Permitted Use, and you 
grant=20 Sourcefire access, at reasonable times and in a reasonable manner, to the=  VRT=20 Certified Rules in your 
possession or control, and to your books, records=  and=20 facilities to permit Sourcefire to verify appropriate use of 
the VRT Cert= ified=20 Rules and compliance with this Agreement.</DIV></FONT></SPAN> <BLOCKQUOTE dir=3Dltr 
style=3D"MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft><= FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
  snort-users-admin () lists sourceforge net=20
  [mailto:snort-users-admin () lists sourceforge net] <B>On Behalf Of </B>Ma= rc=20
  Hering<BR><B>Sent:</B> Tuesday, March 08, 2005 1:20 PM<BR><B>To:</B>=20
  snort-users () lists sourceforge net<BR><B>Subject:</B> [Snort-users] My=20
  Experience with the new Sourcefire VRT rules..<BR><BR></FONT></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,= =20
  </FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I kno= w there has=20
  been a lot of debate over the new VRT Rules and licensing methods from=20
  Sourcefire. &nbsp;I was staying on the sidelines due to my relative new= ness to=20
  Snort in general, but now that I have had some interaction with the new= =20
  website I wanted to let everyone know my experiences..&nbsp; This is ju= st what=20
  happened to me, and I am not trying to start any flame wars...so if you=  agree=20
  with me then great, if you don't agree with me then great!</FONT></SPAN=

</DIV>

  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Let m= e start out=20
  by saying that I personally don't have a problem with what SF is doing,= &nbsp;=20
  After all, if I didn't want to pay I can still get the rules 5 days lat= er for=20
  free or write my own.&nbsp;&nbsp;but since I need&nbsp;the rules pretty=  fast=20
  (and I am not the best at writing rules..)&nbsp;I was ok with paying&nb= sp;the=20
  subscription&nbsp;fee.&nbsp;&nbsp; So I mosey on over to snort.org and = try to=20
  sign up.&nbsp; </FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,=  all I can=20
  say is that if you are like me and don't mind paying the subscription,=20
  then&nbsp;GOOD LUCK!!&nbsp; Finding the pricing is damn near impossible= , and=20
  when you follow the link to even&nbsp;sign up, it tries to take you to = a=20
  secure site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it= =20
  doesn't protect snort.ort&nbsp; it is for sourcefire.com)&nbsp;&nbsp; t= hen=20
  when I get to the signup page, firefox reports that this site is not se= cure at=20
  all (even though it says https, there is no encryption going on) Yean I= 'm=20
  gonna transmit info plaintext..NOT!&nbsp;&nbsp; And still no mention of=  how=20
  much it costs until after you create an account.....&nbsp; Oh and for a= ll you=20
  ACID users out there, I just found out that you can't do a rule lookup = anymore=20
  even if you are a subscriber ( In their defense, they DO&nbsp;say the r= ule=20
  lookup function is forthcoming and I am sure some clever person will wr= ite a=20
  patch eventually)</FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005></SPAN><SPAN=20
  class=3D038145717-08032005><FONT face=3DArial size=3D2></FONT></SPAN>&n= bsp;</DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I com= pletely=20
  understand why Sourcefire is changing the way the rules are distributed= , and I=20
  support them in it after all, they do deserve to get paid for hard work= ,=20
  however if they are going to make a change like this that affects the w= hole=20
  snort community, then I would request that they at least make sure that= =20
  everything works&nbsp;before they put it live!</FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2>Thanks!</FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>&lt;/= rant=20
  mode&gt;</FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C5240D.2CB8F750--



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: