[Emerging-Sigs] Rule question

Weir, Jason jason.weir at nhrs.org
Tue Oct 19 13:57:43 EDT 2010

The same growing pains happen when any open source project forks..  You have to choose one or the other.

And this one has forked even if not officially - we have the same ruleset maintained separately by competing entities.

The way I see it - it either needs to fork officially or either ET or VRT drops those rules entirely.


-----Original Message-----
From: leon.j.ward at gmail.com [mailto:leon.j.ward at gmail.com] On Behalf Of Leon Ward
Sent: Tuesday, October 19, 2010 1:52 PM
To: Weir, Jason
Cc: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] Rule question

Hi all,

> I would get to choose who I get my old GPL rules from...

GPL rules are what they are, free for use and distribution (within the constraints of the the GPL); however I think i'm witnessing something about to happen here that could come back to bite people.

Rules have a unique identifier gid:sid:rev. With two "maintained" sets of rules they are no longer unique.

A wise man once said: "A man with one watch knows what time it is, a man with two is not so sure"..... If you have an event fire, and twelve months later you need to look back to find what rule triggered it you have problems. What 1:111:3 was it?

Remapping sids is also a bad idea, but for a different reason. There are many external correlation engines that use gid:sid:rev for mapping events to <stuff>, breaking this will anger some folks.


On Tue, Oct 19, 2010 at 6:26 PM, Weir, Jason <jason.weir at nhrs.org> wrote:
> If you mean by removing them from and providing them separately from 
> the main ruleset then I'm all for it..
> I would get to choose who I get my old GPL rules from...
> -J
> -----Original Message-----
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Joel 
> Esler
> Sent: Tuesday, October 19, 2010 1:23 PM
> To: evilghost at packetmail.net
> Cc: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] Rule question
> On Oct 19, 2010, at 1:19 PM, evilghost at packetmail.net wrote:
>> On 10/19/2010 12:10 PM, Joel Esler wrote:
>>> We do maintain the GPL rules.
>> I meant as in optimize/enhance/change/etc; yeah they're still pushed 
>> out in the VRT packages but AFAIK you've not gone back and added the 
>> new normalized buffers, methods, etc.
> Yeah, we don't put them back out separate from the free registered 
> ruleset, correct.  Is that something of interest?
> Not committing to doing it, just asking if there is interest.
> --
> Joel Esler
> http://www.joelesler.net


Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

More information about the Emerging-sigs mailing list