[Emerging-Sigs] Distribution Question for you

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 8 11:42:08 EDT 2010

We are about to make the new open ruleset available for general download. The beta testers have done a great job helping us out there in finding any remaining issues (Thanks to them all!!!)

I have a question for everyone though. We brought in the old snort GPL rules (sid 3464 and prior) as well as the valuable rules from the community ruleset, and we converted them to the platforms we're supporting (2.4, 2.8.4, 2.8.6, suricata, and snort 2.9 shortly). 

Now, if you're using the VRT rules and adding in the ET open rules you'll have sid conflicts, since they also include some of the GPL sigs in the VRT set. So we OUGHT to just not include them in the ET open ruleset, but that only applies if you're using VRT.

And, since VRT is not supporting older versions of snort anymore (where are we, 2.8.6 is the oldest they will give you rules for), the versions of the GPL rules we have converted and will continue to support are now very valueable. You won't get them via VRT anymore. 

So, we want to keep these GPL rules available in the converted forms we have done up. We want to keep the ET open ruleset compatible to be used as an add-on for the VRT set (although I think you're better off using the ETPRO rules instead :) ). 

What is everyone's preference? Should we keep our converted GPL rules in the et open ruleset so that folks can have them all in the platform they support, or should we strip them out?

I'm torn because we do have a number of users that use the et open set as an add-on to VRT, and I don't want to break that. Other users use et open as a standalone, and now will gain the gpl rules. And with sourcefire not supporting much for historical rules us keeping these in the ruleset with constant tuning and conversion is more important, so I'd rather keep that available.

What's the concensus here?


Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list