[Emerging-Sigs] Emerging Threats Sells Out!!!

Matthew Jonkman jonkman at emergingthreatspro.com
Sat Oct 2 16:54:55 EDT 2010

On Oct 2, 2010, at 3:01 PM, Mike Cox wrote:
> - ET Community rules are now being QAed by paid professionals in
> addition to getting the normal community scrutiny.  Ultimately this
> means that the ET Community ruleset we all know and use will be
> better.

Yes, and it'll get more better over time as we get into deep tuning. 

We'll have the open ruleset converted and qa complete next week I hope, and then we'll do the tarball switch to the new system. More on that when we get closer, and how to coordinate.

> - The ET Community and Pro rules are much more flexible than VRT in
> terms of updates and responding to the latest threats. (As an aside, I
> will say that running VRT and ET rules together on a large network,
> I've gotten much more milage from the ET rules … I can't tell you how
> many times the ET rules have alerted me of a malware infection (when
> the VRT rules haven't) while the VRT rules throw massive false
> positives (waking me up at night), especially when it comes to client
> side Microsoft vulnerabilities.  Don't get me started on VRT rule
> performance….)

We will still be publishing daily ruleset updates, and pushing as hard as always on the new malware.

> - There are no "hidden" rules like with a lot of Sourcefire GID 3
> (granted, many GID 3 rules are open source but many are not which
> makes investigating false positives very difficult (as evilghost
> pointed out).  I might as well get a TippingPoint appliance if I
> wanted that; at least I'd have better QA and performance).

No obfuscation here. I think I said it in another recent email, but it bears repeating. If we have intel that requires obfuscation we will figure it out another way.

> - The only downside I see of ET Pro is that some rules are only
> available to subscribers and this grinds against the open source
> attitude of ET.  However, I understand the situation with the Telus
> license.  Ultimately it seems to me that the ET Pro venture will
> benefit everybody -- the ET Community rules will be expanded and have
> further QA and those that subscribe to ET Pro will also get some
> additional detection for 0day and the monthly Microsoft vulns and
> won't have to rely on other signature feeds like VRT.

Yes, it's a double-edged sword in the respect. If we can change that one day we certainly will. Money talks, and if we have large numbers of subscribers we get to talk more. :)

> - ET Pro is offering 24/7 phone support and you don't get that with
> Sourcefire.  I will say, though, that since ET Pro is only a ruleset,
> any IDS/IPS engineer worth his weight should be able to support
> him/herself.

I agree. Frankly we went for the phone support option because it'll be the fastest way for us to be alerted of an issue with the ruleset. 

> - As we speak I'm building a Suricata box and the ET Pro announcement
> has only encouraged me to investigate using Suricata to replace Snort.

Good choice!!! We are tuning the suricata ruleset as well, converting sigs to "alert http $HOME_NET ...". It's really quite cool!

> - I am now curious what the Sourcefire guys did with the ET SWAG
> evilghost sent them :)

Wasnt there video of them blowing up their own pig foam things? I can only imagine what happened to our stuff. :)

> I only hope that, like Martin said, ET Pro will not focus too much on
> making a buck (like Sourcefire) but continue in the spirit of open
> source and pwning bad guys that it always has.  We gotta keep on
> pwning on....

Doing my best. And also doing our best to not make this a pissing contest between us and SF. There's room for all in the market. I appreciate that everyone here is also being respectful while airing legitimate concerns. Lets keep that up and I think we'll have a productive relationship all around.


> On Fri, Oct 1, 2010 at 6:49 PM, evilghost at packetmail.net
> <evilghost at packetmail.net> wrote:
>> Hash: SHA1
>> On 10/01/2010 05:45 PM, Martin Holste wrote:
>>> I'm late to the party on this comment train, but I do have a few
>>> comments to share.
>> That's an amazingly fair/accurate synopsis that I can't find any aspect
>> that I could disagree with.  Thanks for sharing this.  It's nice to get
>> some validation that the closed-source GID3 rules aren't evil because
>> they're closed-source but they're evil because they stifle just about
>> every aspect of investigation rendering them largely useless.
>> I have false positives with GID3 to the same frequency with GID1.  GID1
>> I can view the rule, view the offending data, and also look forward/back
>> against data captured with daemonlogger or other libpcap based solutions
>> which record traffic.  GID3 I'm faced with a "trust us" aspect and the
>> false positives negate my ability to react intelligently.
>> I've also lost confidence in the VRT team to properly apply the needed
>> QA; time and time again they have proved that QA is a second-thought and
>> rush-job rule releases result in epic failure.
>> I've been known to submit crap upstream, the difference is I'm not
>> digging in your wallet, and my intentions aren't profit motivated.  When
>> I won the Signature Contest I sent my SWAG over to the VRT team and to
>> Matt Olney; I never heard if they got it.
>> I'd like to think at night, when no ones watching, they secretly wear it.
>> - -evilghost
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list