[Emerging-Sigs] Distribution Question for you

Weir, Jason jason.weir at nhrs.org
Fri Oct 8 11:46:52 EDT 2010


Nope keep ET distributing them - that way they get updated if needed and
are backward compatible...

New ET sids and an oink config to disable the VRT sids was my first
thought..

-J

-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Matthew
Jonkman
Sent: Friday, October 08, 2010 11:42 AM
To: Emerging Threats Threats emerging-sigs at emergingthreats.net
Subject: [Emerging-Sigs] Distribution Question for you


We are about to make the new open ruleset available for general
download. The beta testers have done a great job helping us out there in
finding any remaining issues (Thanks to them all!!!)

I have a question for everyone though. We brought in the old snort GPL
rules (sid 3464 and prior) as well as the valuable rules from the
community ruleset, and we converted them to the platforms we're
supporting (2.4, 2.8.4, 2.8.6, suricata, and snort 2.9 shortly). 

Now, if you're using the VRT rules and adding in the ET open rules
you'll have sid conflicts, since they also include some of the GPL sigs
in the VRT set. So we OUGHT to just not include them in the ET open
ruleset, but that only applies if you're using VRT.

And, since VRT is not supporting older versions of snort anymore (where
are we, 2.8.6 is the oldest they will give you rules for), the versions
of the GPL rules we have converted and will continue to support are now
very valueable. You won't get them via VRT anymore. 

So, we want to keep these GPL rules available in the converted forms we
have done up. We want to keep the ET open ruleset compatible to be used
as an add-on for the VRT set (although I think you're better off using
the ETPRO rules instead :) ). 

What is everyone's preference? Should we keep our converted GPL rules in
the et open ruleset so that folks can have them all in the platform they
support, or should we strip them out?

I'm torn because we do have a number of users that use the et open set
as an add-on to VRT, and I don't want to break that. Other users use et
open as a standalone, and now will gain the gpl rules. And with
sourcefire not supporting much for historical rules us keeping these in
the ruleset with constant tuning and conversion is more important, so
I'd rather keep that available.

What's the concensus here?

Matt


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Emerging-sigs mailing list