[Emerging-Sigs] Distribution Question for you

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 8 13:59:57 EDT 2010


We'd have a few thousand rules duplicated then. And they're all pretty bad on performance, so it'd be a significant issue. 

Matt


On Oct 8, 2010, at 1:49 PM, Kevin Ross wrote:

> What is to stop us redistributing them with a new sid so there are no conflicts and distributing them with the ET rules? I think people may still want to use the VRT/ET combinations and thus it is important they remain compatible for users.
> 
> On 8 October 2010 16:42, Matthew Jonkman <jonkman at emergingthreatspro.com> wrote:
> We are about to make the new open ruleset available for general download. The beta testers have done a great job helping us out there in finding any remaining issues (Thanks to them all!!!)
> 
> I have a question for everyone though. We brought in the old snort GPL rules (sid 3464 and prior) as well as the valuable rules from the community ruleset, and we converted them to the platforms we're supporting (2.4, 2.8.4, 2.8.6, suricata, and snort 2.9 shortly).
> 
> Now, if you're using the VRT rules and adding in the ET open rules you'll have sid conflicts, since they also include some of the GPL sigs in the VRT set. So we OUGHT to just not include them in the ET open ruleset, but that only applies if you're using VRT.
> 
> And, since VRT is not supporting older versions of snort anymore (where are we, 2.8.6 is the oldest they will give you rules for), the versions of the GPL rules we have converted and will continue to support are now very valueable. You won't get them via VRT anymore.
> 
> So, we want to keep these GPL rules available in the converted forms we have done up. We want to keep the ET open ruleset compatible to be used as an add-on for the VRT set (although I think you're better off using the ETPRO rules instead :) ).
> 
> What is everyone's preference? Should we keep our converted GPL rules in the et open ruleset so that folks can have them all in the platform they support, or should we strip them out?
> 
> I'm torn because we do have a number of users that use the et open set as an add-on to VRT, and I don't want to break that. Other users use et open as a standalone, and now will gain the gpl rules. And with sourcefire not supporting much for historical rules us keeping these in the ruleset with constant tuning and conversion is more important, so I'd rather keep that available.
> 
> What's the concensus here?
> 
> Matt
> 
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101008/187bb99e/attachment-0001.html


More information about the Emerging-sigs mailing list