[Emerging-Sigs] The New Rulesets are Ready!!

waldo kitty wkitty42 at windstream.net
Wed Oct 13 19:49:47 EDT 2010


On 10/13/2010 08:37, Weir, Jason wrote:
> Matt,
>
> Maybe I'm missing something...

i must be, also...

> If I use the open-nongpl + vrt free rulesets then I wont get the updated
> GPL rules from you guys..

ahhh... that's right... i didn't think about that... and VRT is not updating 
them? even when they come from another source?? hummm...

> To get the updated GPL rules I will need to skip the VRT free rules
> which means missing out on a bunch of rules there.

"free set" as in the "registered users" set or the "set that comes with snort"?

> I was trying to come up with a way to have the best of both worlds and
> use the VRT free rules but also get the updated GPL rules from ET.

i understand a bit more now that it is phrased this way...

> What's your reason behind not changing the SIDs?

avoiding dupes was my understanding...

> I'm lobbying for SID changes because I could then use oinkmaster to
> disable the VRT GPL rules and have my cake and eat it too..

i, too, use oinkmaster... i think you're on to something here ;)

> But I know it's not your job to ensure compatability between VRT&
> ET....
>
> If anybody has another option I'm missing - please let me know..

ummm... wait! wait! wait! can't oinkmaster take different includes/configs? 
disable the ones in the VRT set with one config and then leave them alone in the 
config for the ET set... this may also require separate rules directories if 
oinkmaster looks at all rules files in the current rules directory but that's 
too easy to handle... i don't recall telling/allowing oinkmaster to read the 
snort.conf so unless it reads all files in the rules directory, it should only 
work with the current ones in the current rules set being processed, i think...

is there a list of the SIDs of the gpl rules somewhere?


More information about the Emerging-sigs mailing list