[Emerging-Sigs] Emerging Threats Sells Out!!!
jonkman at emergingthreatspro.com
Sat Oct 2 16:54:55 EDT 2010
On Oct 2, 2010, at 3:01 PM, Mike Cox wrote:
> - ET Community rules are now being QAed by paid professionals in
> addition to getting the normal community scrutiny. Ultimately this
> means that the ET Community ruleset we all know and use will be
Yes, and it'll get more better over time as we get into deep tuning.
We'll have the open ruleset converted and qa complete next week I hope, and then we'll do the tarball switch to the new system. More on that when we get closer, and how to coordinate.
> - The ET Community and Pro rules are much more flexible than VRT in
> terms of updates and responding to the latest threats. (As an aside, I
> will say that running VRT and ET rules together on a large network,
> I've gotten much more milage from the ET rules … I can't tell you how
> many times the ET rules have alerted me of a malware infection (when
> the VRT rules haven't) while the VRT rules throw massive false
> positives (waking me up at night), especially when it comes to client
> side Microsoft vulnerabilities. Don't get me started on VRT rule
We will still be publishing daily ruleset updates, and pushing as hard as always on the new malware.
> - There are no "hidden" rules like with a lot of Sourcefire GID 3
> (granted, many GID 3 rules are open source but many are not which
> makes investigating false positives very difficult (as evilghost
> pointed out). I might as well get a TippingPoint appliance if I
> wanted that; at least I'd have better QA and performance).
No obfuscation here. I think I said it in another recent email, but it bears repeating. If we have intel that requires obfuscation we will figure it out another way.
> - The only downside I see of ET Pro is that some rules are only
> available to subscribers and this grinds against the open source
> attitude of ET. However, I understand the situation with the Telus
> license. Ultimately it seems to me that the ET Pro venture will
> benefit everybody -- the ET Community rules will be expanded and have
> further QA and those that subscribe to ET Pro will also get some
> additional detection for 0day and the monthly Microsoft vulns and
> won't have to rely on other signature feeds like VRT.
Yes, it's a double-edged sword in the respect. If we can change that one day we certainly will. Money talks, and if we have large numbers of subscribers we get to talk more. :)
> - ET Pro is offering 24/7 phone support and you don't get that with
> Sourcefire. I will say, though, that since ET Pro is only a ruleset,
> any IDS/IPS engineer worth his weight should be able to support
I agree. Frankly we went for the phone support option because it'll be the fastest way for us to be alerted of an issue with the ruleset.
> - As we speak I'm building a Suricata box and the ET Pro announcement
> has only encouraged me to investigate using Suricata to replace Snort.
Good choice!!! We are tuning the suricata ruleset as well, converting sigs to "alert http $HOME_NET ...". It's really quite cool!
> - I am now curious what the Sourcefire guys did with the ET SWAG
> evilghost sent them :)
Wasnt there video of them blowing up their own pig foam things? I can only imagine what happened to our stuff. :)
> I only hope that, like Martin said, ET Pro will not focus too much on
> making a buck (like Sourcefire) but continue in the spirit of open
> source and pwning bad guys that it always has. We gotta keep on
> pwning on....
Doing my best. And also doing our best to not make this a pissing contest between us and SF. There's room for all in the market. I appreciate that everyone here is also being respectful while airing legitimate concerns. Lets keep that up and I think we'll have a productive relationship all around.
> On Fri, Oct 1, 2010 at 6:49 PM, evilghost at packetmail.net
> <evilghost at packetmail.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On 10/01/2010 05:45 PM, Martin Holste wrote:
>>> I'm late to the party on this comment train, but I do have a few
>>> comments to share.
>> That's an amazingly fair/accurate synopsis that I can't find any aspect
>> that I could disagree with. Thanks for sharing this. It's nice to get
>> some validation that the closed-source GID3 rules aren't evil because
>> they're closed-source but they're evil because they stifle just about
>> every aspect of investigation rendering them largely useless.
>> I have false positives with GID3 to the same frequency with GID1. GID1
>> I can view the rule, view the offending data, and also look forward/back
>> against data captured with daemonlogger or other libpcap based solutions
>> which record traffic. GID3 I'm faced with a "trust us" aspect and the
>> false positives negate my ability to react intelligently.
>> I've also lost confidence in the VRT team to properly apply the needed
>> QA; time and time again they have proved that QA is a second-thought and
>> rush-job rule releases result in epic failure.
>> I've been known to submit crap upstream, the difference is I'm not
>> digging in your wallet, and my intentions aren't profit motivated. When
>> I won the Signature Contest I sent my SWAG over to the VRT team and to
>> Matt Olney; I never heard if they got it.
>> I'd like to think at night, when no ones watching, they secretly wear it.
>> - -evilghost
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
Open Information Security Foundation (OISF)
More information about the Emerging-sigs