Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?

[Jason Brvenik <jason () sourcefire com>]

On Fri, Mar 18, 2011 at 5:32 PM, Matthew Jonkman
<jonkman () emergingthreatspro com> wrote:
> You make a good point, but I fear that'd be more confusing.
> If the sids aren't the same then folks will assume they're different rules,
> and run them all.
> The average new snort/suricata user gets rule crazy (I remember doing it :)
> ) and just downloading and enabling everything they can find. I think we'd
> end up wasting a lot of cpu cycles....
> But I'm flexible. We're a community. Lets decide together. I've voted for
> keeping them the same, because we don't have a need to run them at the same
> time, and they're GPL so it's free use.

Define "them" please

Is your assertion that users don't need to run VRT and ET Rules sets?

> Thoughts?
> Matt
> On Mar 18, 2011, at 5:20 PM, Weir, Jason wrote:
>
> Seems to me it might be time for ET to re-name and re-sid those rules.
>
> Then VRT and ET can go in whatever direction they deem appropriate.  Without
> confusing the user base.
>
> Yes it means more rule overlap but that's something us end users are dealing
> with already..
>
> -J
>
>
> ----- Original Message -----
> From: Matthew Jonkman <jonkman () emergingthreatspro com>
> To: Joel Esler <jesler () sourcefire com>
> Cc: Weir, Jason; Emerging Threats Threats Signatures
> <emerging-sigs () emergingthreats net>; waldo kitty <wkitty42 () windstream net>;
> snort-users () lists sourceforge net <snort-users () lists sourceforge net>
> Sent: Fri Mar 18 16:40:41 2011
> Subject: Re: [Emerging-Sigs] GPL rules - who maintains them?  Nobody?
>
> The issue is though that VRT won't support versions back to snort 2.4, nor a
> version for suricata, which we do at ET. So we have the gpl rules here as
> well in the ET ruleset.
>
> If that could be worked out we could integrate, but I think SF has made it
> clear their stance on suricata, and on snorts more than 2 versions back.
>
> Matt
>
>
> On Mar 18, 2011, at 3:20 PM, Joel Esler wrote:
>
> > That was a porn rule.  Which we've gotten rid of.
> >
> > Rules that are <1,000,000 in SID are officially maintained by the VRT
> > (even the sids that were available before the VRT license change -- commonly
> > referred to as "gpl rules").
> >
> > Emerging threats is encouraged to submit any changes to the ruleset to
> > sids <1,000,000 back to the VRT for inclusion into the VRT set.  However,
> > the numbers should not be duplicated.
> >
> > J
> >
> > On Mar 18, 2011, at 3:04 PM, Weir, Jason wrote:
> >
> > > That is the raw packet data - as outputted by BASE anyways..
> > >
> > > That rule is in the ET set here
> > >
> > > http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules
> > >
> > > -J
> > >
> > > > -----Original Message-----
> > > > From: waldo kitty [mailto:wkitty42 () windstream net]
> > > > Sent: Friday, March 18, 2011 2:53 PM
> > > > To: Weir, Jason
> > > > Cc: emerging-sigs () emergingthreats net
> > > > Subject: Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?
> > > >
> > > >
> > > > On 3/18/2011 13:56, Weir, Jason wrote:
> > > > > After I spammed the snort sigs list on this - looks like it
> > > > came with
> > > > > the ET rules..
> > > > >
> > > > > It's probably not maintained by anyone but I'm seeing what
> > > > could be a FP
> > > > > on 1313
> > > >
> > > > sid:1313; does not exist in my setup with both VRT and ET
> > > > rules sets... not even
> > > > as a commented line...
> > > >
> > > > > Here's the data - no "up skirt" that I can see....
> > > >
> > > > is that the raw packet data?
> > >
> > >
> > >
> > > _____________________________________________________________________________________________
> > >
> > > Please visit www.nhrs.org to subscribe to NHRS email announcements and
> > > updates.
> > > _______________________________________________
> > > Emerging-sigs mailing list
> > > Emerging-sigs () emergingthreats net
> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > >
> > > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > > http://www.emergingthreatspro.com
> > > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> > > Current!
> >
> > --
> > Joel Esler
> > jesler () sourcefire.com
> > http://blog.snort.org && http://blog.clamav.net
> > Twitter: @snort
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs () emergingthreats net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> > Current!
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630 x110
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630 x110
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users