[Emerging-Sigs] Rule question

evilghost@packetmail.net evilghost at packetmail.net
Tue Oct 19 13:00:59 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/19/2010 11:49 AM, Lay, James wrote:
> Jason Brvenik and more have mentioned using the open-nogpl ruleset...so
> it looks like that's what I'll need to do to avoid dups (though I now
> have Jason Weir's method working).  Kinda seems like lines are being
> drawn now....run Snort VRT OR ET...but not both?  Odd.

Yeah, really that's the set you should be using.  I didn't get the ET
versus VRT stance though, it looked more like "We'll try to support
every instance and version".

Based on "...if you're staying with VRT as your primary ruleset and
want to add the ET Open rules you'll have GPL sid duplication. So to
make it possible for you to choose to stay with VRT we have provided a
version of the ruleset that does NOT contain the GPL or community rules
that would overlap" I'm not sure how you got "VRT versus ET".

The VRT no longer maintains the GPL rules.  ET pulled these GPL rules
and optimized them; if you use the VRT sets AND the ET sets then you
need the nogpl rules.  If you run ET only then you can use the GPL
optimized rules (http_header; http_method; etc).

I think you're a little confused about the recent changes, I'll try to
summarize (someone correct me if I am wrong):

1) Before ET Pro etc all rules were degraded to the Snort 2.4 syntax,
this meant no http_method, http_cookie, etc.

2) ET Pro came along and the 2.4 rulesets (and those submitting going
forward) get optimized to the respective release.

3) ET Pro pulled in the VRT GPL rules and optimized these (see #2) but
preserved the SIDs since there isn't much sense is duplicating these
rules with VRT and ET (with ET being optimized).  You'll have different
SIDs detecting on the same events and firing simultaneously.

4) Folks who use VRT should use nogpl since they're already going to be
running these rules.  If you want to use the ET GPL optimized rules then
you need to disable the VRT SIDs which collide since these are unoptimized.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMvc7LAAoJENgimYXu6xOHGFgP/3IiHLPyD5nnnrKwu2X6cBA8
GcBYrncK9K787t4dWRCPT76QyDFeJFk6pYBvT7EFLw0PdKtYgvGpKP79qHhXKhf/
hA12u6vcwL94BILTB6l4d7Zt8G+LmdqtwwvaDgSjdQmp48aWvxQAQABevTVd0zFp
p6t2okJY1HTmCpBkOpTOIl1ZQbGmcYJ0lMNJnLudV2K0QlvRExzUbI9vkwhqGQyE
jIjYAOMIDFUEQ3rw8VRjmFUmvvxP5noE0ZC4H7nUpqsPEaoscW4vqZHj0aT0WFoI
EAkspuO+RzkKSnAhULW+9Yf+dTDkcaQToZTCv+OvzhwhPFleey0G3cFLmUjc3w1O
nQazT8kahcht+DQR8wuRy295b5yfNjDoPMAnVPLSKdjZPAM9YLwjv80ja4M+0ejp
B8Fo0VIoy7hqrmTlVgsSkI7Yun9j+xmDaka8V6m3RjC3egs8zAwvD24IU5c4g+hh
YYVK9imdL3NBEjIYvuTdQAd3FumcKJ7aRxSfSJ0d8sIh7GFLLx3qxOGPtlGyasGj
lq0CQwNcb4Y7EfPJnrS+BQqtIO70JYwCSMO2jIcV5UyEcpVlWooIRxxUoq3snlbV
/2TlJ0cgx5gBh1jD3lcjWJVdAkRUeIqgeQmeR604NooiVPsxzoKUaty3C1MbZcTK
rWhuNdjs9Th3f19EtIbw
=iM9p
-----END PGP SIGNATURE-----


More information about the Emerging-sigs mailing list