Snort mailing list archives
RE: Licensing
From: "Snort" <Snort () InterCept Net>
Date: Tue, 8 Mar 2005 17:46:24 -0500
It looks like the format of the rules has changed also. The community rules have the following blurb in the msg field, (msg:"COMMUNITY .....") and the rules download only seems to be updates and not complete snapshots, also with new names (community-exploit.rules). Will there be a snapshot download for the community rules or will we just now have to append the updates to our current rules/configs? Seems we all have our work cut out for us during this transition.... Michael -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Martin Roesch Posted At: Tuesday, March 08, 2005 10:58 AM Posted To: Snort Conversation: [Snort-users] Licensing Subject: Re: [Snort-users] Licensing One other point: We run the rules through an extensive QA process to verify that they function correctly and that the entire rest of the rule set functions properly after integration (i.e. a full regression test). We run on the order of 6.8 million tests every time we QA a new rule set to verify that the rules still fire as they should don't fire when they shouldn't. We also pay attention to performance when we develop rules so that our gigabit sensors don't turn into 100Mb sensors, it's entirely possible to write PCRE rules that take *seconds* to run per packet... Additionally, we have the capability in house to develop rules for vulnerabilities that don't have public exploits available in the wild. A good example of this was the LSASS.EXE vulnerability that turned into the Sasser worm. We got notification of the vulnerability along with the rest of the world on Microsoft Tuesday and quickly reverse engineered the vulnerability and generated rules. We had rules available that could pick up almost every variant of Sasser a week before the worm hit. A more recent example is all the updates that we've added to netbios.rules for things like ms05-010 and ms05-011. We have an extensive research and testing capability that we've developed over the years here and it's translating directly into high quality rules that allow Snort to have accurate detection while retaining high performance capabilities in addition to having rules that are available in advance of exploits. That's the value associated with the VRT rules today and we intend to bring more to the table as the service matures. -Marty On Mar 8, 2005, at 2:54 AM, Lee Clemens wrote:
I assume, by "the rest", you mean the community rules? My understanding is that the VRT rules are the ones produced and looked over by SF and released with each major Snort version (Snort point x._._). Getting the newer versions basically means you will have rules that are more current
with
ongoing network/internet activities/vulnerable/worms/viruses that are out there at that given time. An example might be if virus.X comes out, new rules would be written and released by VRT to detect it (possibly long) before a new major version of Snort may be released. I hope that helps clarify your question...if it doesn't please let me know more specifically what your question is. Basically, it gives you advanced detection capabilities... --Lee -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Florin Andrei Sent: Tuesday, March 08, 2005 12:15 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Licensing On Mon, 2005-03-07 at 21:53 -0500, Martin Roesch wrote:3) VRT rules developed and QA'd at Sourcefire will be available for commercial redistribution if the commercial entity acquires a license from Sourcefire.Can someone explain to a guy who used Snort long time ago but didn't keep in touch - what are the VRT rules and how are they different from the rest? I know they're QA'd by SF, i wonder from a practical standpoint - what do they give me, a Snort user, that the other rules don't? -- Florin Andrei http://florin.myip.org/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. - http://www.sourcefire.com Snort: Open Source Intrusion Detection and Prevention - http://www.snort.org ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Licensing, (continued)
- Re: Licensing Matt Kettler (Mar 08)
- Re: Licensing Bob Walder (Mar 08)
- Re: Licensing Martin Roesch (Mar 07)
- Re: Licensing Peter J Manis (Mar 07)
- Re: Licensing Martin Roesch (Mar 08)
- Re: Licensing Florin Andrei (Mar 07)
- RE: Licensing Lee Clemens (Mar 07)
- Re: Licensing Martin Roesch (Mar 08)
- Re: Licensing Peter J Manis (Mar 07)
- Re: Licensing Jose Maria Lopez Hernandez (Mar 08)
- RE: Licensing SRH-Lists (Mar 08)
- RE: Licensing Snort (Mar 08)