Snort mailing list archives
Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Fri, 18 Mar 2011 17:32:48 -0400
You make a good point, but I fear that'd be more confusing. If the sids aren't the same then folks will assume they're different rules, and run them all. The average new snort/suricata user gets rule crazy (I remember doing it :) ) and just downloading and enabling everything they can find. I think we'd end up wasting a lot of cpu cycles.... But I'm flexible. We're a community. Lets decide together. I've voted for keeping them the same, because we don't have a need to run them at the same time, and they're GPL so it's free use. Thoughts? Matt On Mar 18, 2011, at 5:20 PM, Weir, Jason wrote:
Seems to me it might be time for ET to re-name and re-sid those rules. Then VRT and ET can go in whatever direction they deem appropriate. Without confusing the user base. Yes it means more rule overlap but that's something us end users are dealing with already.. -J ----- Original Message ----- From: Matthew Jonkman <jonkman () emergingthreatspro com> To: Joel Esler <jesler () sourcefire com> Cc: Weir, Jason; Emerging Threats Threats Signatures <emerging-sigs () emergingthreats net>; waldo kitty <wkitty42 () windstream net>; snort-users () lists sourceforge net <snort-users () lists sourceforge net> Sent: Fri Mar 18 16:40:41 2011 Subject: Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? The issue is though that VRT won't support versions back to snort 2.4, nor a version for suricata, which we do at ET. So we have the gpl rules here as well in the ET ruleset. If that could be worked out we could integrate, but I think SF has made it clear their stance on suricata, and on snorts more than 2 versions back. Matt On Mar 18, 2011, at 3:20 PM, Joel Esler wrote:That was a porn rule. Which we've gotten rid of. Rules that are <1,000,000 in SID are officially maintained by the VRT (even the sids that were available before the VRT license change -- commonly referred to as "gpl rules"). Emerging threats is encouraged to submit any changes to the ruleset to sids <1,000,000 back to the VRT for inclusion into the VRT set. However, the numbers should not be duplicated. J On Mar 18, 2011, at 3:04 PM, Weir, Jason wrote:That is the raw packet data - as outputted by BASE anyways.. That rule is in the ET set here http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules -J-----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Friday, March 18, 2011 2:53 PM To: Weir, Jason Cc: emerging-sigs () emergingthreats net Subject: Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? On 3/18/2011 13:56, Weir, Jason wrote:After I spammed the snort sigs list on this - looks like itcame withthe ET rules.. It's probably not maintained by anyone but I'm seeing whatcould be a FPon 1313sid:1313; does not exist in my setup with both VRT and ET rules sets... not even as a commented line...Here's the data - no "up skirt" that I can see....is that the raw packet data?_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net Twitter: @snort _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Crusty Saint (Mar 21)
- <Possible follow-ups>
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Weir, Jason (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)