[Emerging-Sigs] Rule question

evilghost@packetmail.net evilghost at packetmail.net
Tue Oct 19 13:00:59 EDT 2010

Hash: SHA1

On 10/19/2010 11:49 AM, Lay, James wrote:
> Jason Brvenik and more have mentioned using the open-nogpl ruleset...so
> it looks like that's what I'll need to do to avoid dups (though I now
> have Jason Weir's method working).  Kinda seems like lines are being
> drawn now....run Snort VRT OR ET...but not both?  Odd.

Yeah, really that's the set you should be using.  I didn't get the ET
versus VRT stance though, it looked more like "We'll try to support
every instance and version".

Based on "...if you're staying with VRT as your primary ruleset and
want to add the ET Open rules you'll have GPL sid duplication. So to
make it possible for you to choose to stay with VRT we have provided a
version of the ruleset that does NOT contain the GPL or community rules
that would overlap" I'm not sure how you got "VRT versus ET".

The VRT no longer maintains the GPL rules.  ET pulled these GPL rules
and optimized them; if you use the VRT sets AND the ET sets then you
need the nogpl rules.  If you run ET only then you can use the GPL
optimized rules (http_header; http_method; etc).

I think you're a little confused about the recent changes, I'll try to
summarize (someone correct me if I am wrong):

1) Before ET Pro etc all rules were degraded to the Snort 2.4 syntax,
this meant no http_method, http_cookie, etc.

2) ET Pro came along and the 2.4 rulesets (and those submitting going
forward) get optimized to the respective release.

3) ET Pro pulled in the VRT GPL rules and optimized these (see #2) but
preserved the SIDs since there isn't much sense is duplicating these
rules with VRT and ET (with ET being optimized).  You'll have different
SIDs detecting on the same events and firing simultaneously.

4) Folks who use VRT should use nogpl since they're already going to be
running these rules.  If you want to use the ET GPL optimized rules then
you need to disable the VRT SIDs which collide since these are unoptimized.

- -evilghost
Version: GnuPG v1.4.10 (GNU/Linux)


More information about the Emerging-sigs mailing list