Snort mailing list archives

RE: Licensing

From: "Snort" <Snort () InterCept Net>
Date: Tue, 8 Mar 2005 17:46:24 -0500

It looks like the format of the rules has changed also. The community
rules have the following blurb in the msg field, (msg:"COMMUNITY .....")
and the rules download only seems to be updates and not complete
snapshots, also with new names (community-exploit.rules). Will there be
a snapshot download for the community rules or will we just now have to
append the updates to our current rules/configs? 

Seems we all have our work cut out for us during this transition....

Michael

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Martin
Roesch
Posted At: Tuesday, March 08, 2005 10:58 AM
Posted To: Snort
Conversation: [Snort-users] Licensing
Subject: Re: [Snort-users] Licensing

One other point: We run the rules through an extensive QA process to 
verify that they function correctly and that the entire rest of the 
rule set functions properly after integration (i.e. a full regression 
test).  We run on the order of 6.8 million tests every time we QA a new 
rule set to verify that the rules still fire as they should don't fire 
when they shouldn't.  We also pay attention to performance when we 
develop rules so that our gigabit sensors don't turn into 100Mb 
sensors, it's entirely possible to write PCRE rules that take *seconds* 
to run per packet...

Additionally, we have the capability in house to develop rules for 
vulnerabilities that don't have public exploits available in the wild.  
A good example of this was the LSASS.EXE vulnerability that turned into 
the Sasser worm.  We got notification of the vulnerability along with 
the rest of the world on Microsoft Tuesday and quickly reverse 
engineered the vulnerability and generated rules.  We had rules 
available that could pick up almost every variant of Sasser a week 
before the worm hit.  A more recent example is all the updates that 
we've added to netbios.rules for things like ms05-010 and ms05-011.

We have an extensive research and testing capability that we've 
developed over the years here and it's translating directly into high 
quality rules that allow Snort to have accurate detection while 
retaining high performance capabilities in addition to having rules 
that are available in advance of exploits.  That's the value associated 
with the VRT rules today and we intend to bring more to the table as 
the service matures.

      -Marty


On Mar 8, 2005, at 2:54 AM, Lee Clemens wrote:

I assume, by "the rest", you mean the community rules? My 
understanding is
that the VRT rules are the ones produced and looked over by SF and 
released
with each major Snort version (Snort point x._._). Getting the newer
versions basically means you will have rules that are more current

with

ongoing network/internet activities/vulnerable/worms/viruses that are 
out
there at that given time.

An example might be if virus.X comes out, new rules would be written 
and
released by VRT to detect it (possibly long) before a new major 
version of
Snort may be released.

I hope that helps clarify your question...if it doesn't please let me 
know
more specifically what your question is. Basically, it gives you 
advanced
detection capabilities...

--Lee

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Florin 
Andrei
Sent: Tuesday, March 08, 2005 12:15 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Licensing

On Mon, 2005-03-07 at 21:53 -0500, Martin Roesch wrote:

3) VRT rules developed and QA'd at Sourcefire will be available for
commercial redistribution if the commercial entity acquires a license
from Sourcefire.


Can someone explain to a guy who used Snort long time ago but didn't
keep in touch - what are the VRT rules and how are they different from
the rest? I know they're QA'd by SF, i wonder from a practical
standpoint - what do they give me, a Snort user, that the other rules
don't?

-- 
Florin Andrei

http://florin.myip.org/



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real 
users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real 
users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend. - http://www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - 
http://www.snort.org



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Licensing, (continued)
- - - Re: Licensing Matt Kettler (Mar 08)
    - Re: Licensing Bob Walder (Mar 08)
- Re: Licensing Martin Roesch (Mar 07)
  - Re: Licensing Peter J Manis (Mar 07)
    - Re: Licensing Martin Roesch (Mar 08)
  - Re: Licensing Florin Andrei (Mar 07)
    - RE: Licensing Lee Clemens (Mar 07)
    - Re: Licensing Martin Roesch (Mar 08)
  - Re: Licensing Jose Maria Lopez Hernandez (Mar 08)
- RE: Licensing SRH-Lists (Mar 08)
- RE: Licensing Snort (Mar 08)