[Emerging-Sigs] The New Rulesets are Ready!!

Weir, Jason jason.weir at nhrs.org
Mon Oct 11 08:43:30 EDT 2010


Thanks Matt (and ET team), Awesome job!!!

Quick question.

Going forward will you be updating the GPL rules? Will they get new
SIDs?

Reason I ask is I run the VRT free rules as well as the ET open rules.

The problem is the 409 overlaps you describe below

With oinkmaster I can't figure out how to disable the GPL rules from VRT
(by sid) without disabling the same SIDs in the ET rules.

Any ideas?

-Jason

-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Matthew
Jonkman
Sent: Saturday, October 09, 2010 12:39 PM
To: Emerging Threats Threats emerging-sigs at emergingthreats.net
Cc: emerging-announce at emergingthreats.net
Subject: [Emerging-Sigs] The New Rulesets are Ready!!


Thanks to all for your patience, and to everyone who's chipped in to
help do this work. It's been about 4 months of converting and testing,
but we FINALLY have the open ruleset all ready to re-launch. 

The updated rules can be found at:

http://rules.emergingthreats.net

For this conversion to 2.8.4, 2.8.6, and suricata we've ingested the old
Snort GPL rules (sid 3464 and prior) to convert as well as some of the
valuable community sigs in order to keep complete coverage on older
platforms. They'll no longer be available from VRT in 2.8.6 and prior,
so we're doing so here.

All have been converted and tweaked to provide a more complete ruleset.
But of course if you're staying with VRT as your primary ruleset and
want to add the ET Open rules you'll have GPL sid duplication. So to
make it possible for you to choose to stay with VRT we have provided a
version of the ruleset that does NOT contain the GPL or community rules
that would overlap. We will support this for the long term, so if you do
choose to stay with VRT please continue to use the free ET rules! 

Some notes:
1. The rules.emergingthreats.net dns name is a round robin to a couple
of servers now, and we'll be adding a few more over time. So we won't
have the bandwidth crush issues when we would publish on the old
systems.

2. The old ruleset at www.emergingthreats.net/emerging.rules.tar.gz /
zip will remain there, but they WILL NOT BE UPDATED ANY FURTHER. In a
couple of weeks, based on feedback, we may set up a redirect to the
snort-2.8.4 tarball so we don't lose a lot of automated sensors out
there updating on their own. The problem is though that the filenames
inside the tarball have changed to reflect our full use of categories. 

3. The open rulesets retain the file naming convention
emerging-<category>.rules. (The et pro rules do not have emerging- to
avoid confusion) We have added a lot of categories though, so check the
included emerging.conf to make sure you're including all you want to
run.

4. You must choose your platform. 2.8.4 is where the rulesets USED to
be. No http_*, file_data, fast_pattern, etc. While 2.8.4 did support
some of the http_* functions, the 2.8.6 version of the ruleset is the
first that we've brought all of this together. 

5. Snort 2.4 support will be available soon, as will snort 2.9.0. Keep
an eye out for both in the open and pro rulesets! 

6. The version file at http://rules.emergingthreats.net/version.txt will
continue to be updated and picks up from where we were, no rollback. We
encourage you to use that file to sense when your scripts need to pull
an update! The old files that were for the compromised list, rbn list,
and dshield rev won't be continued. They all incremented at the same
time, and will continue to, so we're just going to rely on the master
version counter if no one objects. 

I'll get the backlog of sigs sent to the list committed. We will
continue to update the ruleset as often as possible. Likely we'll settle
into a once a day update cycle. No less than that for sure!

Thanks again to everyone for your patience. Please grab the new tarball,
beat it up. I am CERTAIN we have mistakes in there because my hands have
been in it, so please let me know!!

Matt


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Emerging-sigs mailing list