[Emerging-Sigs] Emerging Threats Sells Out!!!

Mike Cox mike.cox52 at gmail.com
Sat Oct 2 15:01:42 EDT 2010

I've been quiet on this thread but would like to share a few of my
observations, even if they are not congruent; here are my thought on
the whole ET Pro venture:

- ET Community rules are now being QAed by paid professionals in
addition to getting the normal community scrutiny.  Ultimately this
means that the ET Community ruleset we all know and use will be

- The ET Community and Pro rules are much more flexible than VRT in
terms of updates and responding to the latest threats. (As an aside, I
will say that running VRT and ET rules together on a large network,
I've gotten much more milage from the ET rules … I can't tell you how
many times the ET rules have alerted me of a malware infection (when
the VRT rules haven't) while the VRT rules throw massive false
positives (waking me up at night), especially when it comes to client
side Microsoft vulnerabilities.  Don't get me started on VRT rule

- There are no "hidden" rules like with a lot of Sourcefire GID 3
(granted, many GID 3 rules are open source but many are not which
makes investigating false positives very difficult (as evilghost
pointed out).  I might as well get a TippingPoint appliance if I
wanted that; at least I'd have better QA and performance).

- The only downside I see of ET Pro is that some rules are only
available to subscribers and this grinds against the open source
attitude of ET.  However, I understand the situation with the Telus
license.  Ultimately it seems to me that the ET Pro venture will
benefit everybody -- the ET Community rules will be expanded and have
further QA and those that subscribe to ET Pro will also get some
additional detection for 0day and the monthly Microsoft vulns and
won't have to rely on other signature feeds like VRT.

- ET Pro is offering 24/7 phone support and you don't get that with
Sourcefire.  I will say, though, that since ET Pro is only a ruleset,
any IDS/IPS engineer worth his weight should be able to support

- As we speak I'm building a Suricata box and the ET Pro announcement
has only encouraged me to investigate using Suricata to replace Snort.

- I am now curious what the Sourcefire guys did with the ET SWAG
evilghost sent them :)

I only hope that, like Martin said, ET Pro will not focus too much on
making a buck (like Sourcefire) but continue in the spirit of open
source and pwning bad guys that it always has.  We gotta keep on
pwning on....

-Mike Cox

On Fri, Oct 1, 2010 at 6:49 PM, evilghost at packetmail.net
<evilghost at packetmail.net> wrote:
> Hash: SHA1
> On 10/01/2010 05:45 PM, Martin Holste wrote:
>> I'm late to the party on this comment train, but I do have a few
>> comments to share.
> That's an amazingly fair/accurate synopsis that I can't find any aspect
> that I could disagree with.  Thanks for sharing this.  It's nice to get
> some validation that the closed-source GID3 rules aren't evil because
> they're closed-source but they're evil because they stifle just about
> every aspect of investigation rendering them largely useless.
> I have false positives with GID3 to the same frequency with GID1.  GID1
> I can view the rule, view the offending data, and also look forward/back
> against data captured with daemonlogger or other libpcap based solutions
> which record traffic.  GID3 I'm faced with a "trust us" aspect and the
> false positives negate my ability to react intelligently.
> I've also lost confidence in the VRT team to properly apply the needed
> QA; time and time again they have proved that QA is a second-thought and
> rush-job rule releases result in epic failure.
> I've been known to submit crap upstream, the difference is I'm not
> digging in your wallet, and my intentions aren't profit motivated.  When
> I won the Signature Contest I sent my SWAG over to the VRT team and to
> Matt Olney; I never heard if they got it.
> I'd like to think at night, when no ones watching, they secretly wear it.
> - -evilghost

More information about the Emerging-sigs mailing list