Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?

[Matthew Jonkman <jonkman () emergingthreatspro com>]

On Mar 19, 2011, at 10:19 PM, Jason Brvenik wrote:
> > > We do operate differently, for good reason. Our customers demand
> > > stability and effectiveness.
> > > Because our customers demand stability and effectiveness doesn't mean
> > > you can't create a new rule and run with it, referencing the old is
> > > perfectly acceptable.
> >
> > Ha! Insults aside, I don't understand what you're saying there.
>
> Wow, really?

Ya. I don't understand the point you're trying to make. The part about create a new rule and run with it and reference 
the old rule. 

Can you elaborate?


> My statement was directly related to your misinformed digs at update frequency.
>
> "VRT is weekly at best"
> "because VRT might put something out a week later"
> etc...
> "ET Open and Pro rulesets update about daily. You submit something
> it's changed in 24 hours and published."
>
> Our customers want coverage for the threats that affect them delivered
> in a timely and effective manner. They want to be able to review them,
> test them, etc. They don't a rule for malware variants that is tweaked
> for false positives in real-time, they want that handled before the
> rule is deployed. Like it or not, fast moving detection for things
> that they handle quite effectively with other tools is a burden to
> them.

Sorry, that's not what I was trying talking about. Trying to get back to the GPL sigs. 

We do not want to run at the pace of VRT for changes to GPL sigs. So I think collaboration will be very rocky and 
difficult. 



> > >
> >
> > That's sounds very "not my job" to me. If it's a problem, and you can help fix it, why don't you?
>
> I can help solve lots of things, as can you. Tell me, why don't you
> help solve world hunger by growing crops in your back yard? Why don't
> you help solve pollution by not using electricity? Why don't you
> release rules for every virus? Why don't you build a house with screws
> and a hammer?
>
> I've the experience to know what works and what doesn't and I can
> assure you that making the AV signature race an IPS problem too isn't
> going to work. It might make you feel good about detecting something
> but it isn't going to move the line forward one bit.

I wouldn't try to solve world hunger because I haven't a tool capable of it. 

On malware, I do have a tool and the resources and intel available to make a significant impact. And considering that 
AV isn't getting any better, I firmly believe that IDS can pick up abother 50% of coverage on the wire, and help cover 
that 72 hour lead time for a virus to be covered. We have a unique point of view in that while the malware may change 
and evade AV, they VERY often continue to use the same CnC protocol. So the IDS sigs are more reliable longer. 

I know we won't get ALL malware with ids sigs, but we can pick up some slack.

I suspect we'll have to agree to disagree here. But I still don't understand why you guys DO publish malware and 
spyware sigs if you're this opposed to the concept.


> > But that's just philosophy. We have different ones, they're both ok, depends on your
> > environment. If your AV is 100% then you probably don't need IDS to lend a hand.
>
> The reality is that abusing one tool because of the inadequacy of
> another isn't going to solve problems, it might help in the short run
> but it is not a solution. If your pain is really AV use Immunet and/or
> ClamAV to solve that problem, not Snort.

I don't see either of those solving the problem. If I missed a marketing presentation please let me know. Has someone 
announced 100% coverage AV? I must have missed it. 

> > >
> >
> > I suppose. Haven't seen a referral yet though. I just can't imagine a customer where malware
> > isn't a problem though...
>
> Malware is a problem and we spent good money on a solution that
> approaches the problem in a way that can be successful without being
> continually in a signature rat race. Feel free to ask any questions
> about the approach after you have given Immunet a try -
> http://www.immunet.com/main/index.html

Appreciate the offer. I unfortunately don't have any windows boxes so I can't give it a try. If I ever do I certainly 
will.

Well, we do have windows boxes, but they're zombies in the sandnet being infected thousands of times a day for writing 
sigs... :)

> > >
> >
> > I think it is germane, because we're talking about where the master rules might be held if we
> > were to collaborate. I don't think it's appropriate for them to held by an entity that'll not be
> > maintaining the old versions. That's all.
>
> No, we are talking about duplication of rules already mastered
> elsewhere and the problems that is causing for users. If you want to
> have a different discussion please start a new thread.

I don't think it's causing problems for users. We have 2 rulesets published to solve this problem. 

What I thought we were discussing was collaborating somehow to keep them in sync. We also have to keep in sync versions 
for old snort and now for suricata, and we'll be putting them into other formats soon. So I think it makes sense for 
the "master" repository to be maintained in the community, not at VRT. You'll be end of lifing something we still need 
over here soon, so then we'd have to maintain those on our own anyway....

So, I'd like to keep talking about this. Why does the master repo of GPL rules have to be maintained at Sourcefire? 
Especially when the community will have more versions that SF wants to support, and for other platforms that SF has 
great disdain for. 

> >
>
> My only interest in entering this thread is to resolve the problems
> your actions have created. Duplicating rules for the sake of it has
> repeatedly caused problems for users. Several very palatable
> alternatives have been suggested and I would like to see that
> discussion get back on track.

Agreed. I missed the palatable alternatives, perhaps we need to reset the discussion?

Matt


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users