[Emerging-Sigs] Rule question

Leon Ward leon at rm-rf.co.uk
Tue Oct 19 13:51:35 EDT 2010


Hi all,

> I would get to choose who I get my old GPL rules from...

GPL rules are what they are, free for use and distribution (within the
constraints of the the GPL); however I think i'm witnessing something
about to happen here that could come back to bite people.

Rules have a unique identifier gid:sid:rev. With two "maintained" sets
of rules they are no longer unique.

A wise man once said: "A man with one watch knows what time it is, a
man with two is not so sure"..... If you have an event fire, and
twelve months later you need to look back to find what rule triggered
it you have problems. What 1:111:3 was it?

Remapping sids is also a bad idea, but for a different reason. There
are many external correlation engines that use gid:sid:rev for mapping
events to <stuff>, breaking this will anger some folks.

-Leon


On Tue, Oct 19, 2010 at 6:26 PM, Weir, Jason <jason.weir at nhrs.org> wrote:
> If you mean by removing them from and providing them separately from the
> main ruleset then I'm all for it..
>
> I would get to choose who I get my old GPL rules from...
>
> -J
>
> -----Original Message-----
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Joel
> Esler
> Sent: Tuesday, October 19, 2010 1:23 PM
> To: evilghost at packetmail.net
> Cc: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] Rule question
>
>
> On Oct 19, 2010, at 1:19 PM, evilghost at packetmail.net wrote:
>> On 10/19/2010 12:10 PM, Joel Esler wrote:
>>> We do maintain the GPL rules.
>>
>> I meant as in optimize/enhance/change/etc; yeah they're still pushed
>> out in the VRT packages but AFAIK you've not gone back and added the
>> new normalized buffers, methods, etc.
>
> Yeah, we don't put them back out separate from the free registered
> ruleset, correct.  Is that something of interest?
>
> Not committing to doing it, just asking if there is interest.
>
> --
> Joel Esler
> http://www.joelesler.net
>
>
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list