[Emerging-Sigs] Rule question

L0rd Ch0de1m0rt l0rdch0de1m0rt at gmail.com
Tue Oct 19 12:20:03 EDT 2010


I think ET is trying to provide snort users added support since VRT is
only supporting snort current version and one version back and a lot
of people still run old versions.  They do this for many reasons:

1) snort is running on an embedded device and upgrading is not practical.
2) large enterprises can't easily deploy new versions every few months
due to the number of sensors, testing requirements (especially in IPS
mode environments), and SF seems to push out a new version of snort
every few months (not that I'm complaining about the ongoing
development and releases, I just wish they would support there stuff
more than a few months).
3) hardware limitations and snort bugs
4) big companies move slow
5) politics
6) more reasons other ET folks will chime in with

Personally, I think it is great ET supports all the way back to v2.4.
The fact that they aren't fully on 2.9 yet is probably b/c it just
came out and SF has made a bunch of changes on how snort rules are
evaluated (for example, see previous thread on the Zeus sig where Will
talks about how the snort http preprocessor behaves differently across
the versions) that have to be compensated for if you want a quality
ruleset.

-L0rd

On 10/19/10, Lay, James <james.lay at wincofoods.com> wrote:
> I posted this in the snort-sigs group, and now I'm posting it here:
>
>
>
> I guess there's something I do not understand as it relates to ET & VRT
> rules.  As I understand it:
>
>
>
> Snort VRT support 2.8.6.1 and 2.9.0
>
> ET support 2.4-2.8.6
>
>
>
> Is it just me or does this not make sense?  Why are ET rules even
> bothering with unsupported versions of Snort, and not putting out rules
> that are in line with supported versions of Snort?  I have to be
> honest...from a home and business user, going from what used to be a
> relatively easy rule management system, to what it is now has been
> extremely time consuming and frustrating.  And, coming from someone who
> has little knowledge of how the ET and VRT rulesets are
> developed/maintained, I have to think that duplicate SID's seems to be
> counterproductive.  I'll keep plodding along...thank you.
>
>
>
> James
>
>
>
>
>
> James Lay
>
> IT Security Analyst
>
> WinCo Foods
>
> 208-672-2014 Office
>
> 208-559-1855 Cell
>
> 650 N Armstrong Pl.
>
> Boise, Idaho 83704
>
>
>
>


More information about the Emerging-sigs mailing list