[Emerging-Sigs] Rule question

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 20 05:19:57 EDT 2010


I have not heard anything from SF on the matter yet. As soon as I do I will let you all know.

We plan to continue to support the old GPL rules on 2.4 as long as they're being downloaded. 

Matt

On Oct 19, 2010, at 2:09 PM, Weir, Jason wrote:

> Well come on then guys.... Hurry up... It's not like you've got anything
> else important to do.. ;)
> 
> -J
> 
> -----Original Message-----
> From: Joel Esler [mailto:joel.esler at me.com] 
> Sent: Tuesday, October 19, 2010 2:07 PM
> To: Weir, Jason
> Cc: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] Rule question
> 
> 
> As I've said a couple times, Jonkman and I are working on something in
> the back end, but, like I said, I want to get my ducks in a row before
> we announce it.  And no, it's not really that big of a deal.
> 
> So let's hit the pause button and not get riled up about it.  I see this
> as a temporary step.
> 
> J
> 
> On Oct 19, 2010, at 1:57 PM, Weir, Jason wrote:
> 
>> The same growing pains happen when any open source project forks..  
>> You have to choose one or the other.
>> 
>> And this one has forked even if not officially - we have the same 
>> ruleset maintained separately by competing entities.
>> 
>> The way I see it - it either needs to fork officially or either ET or 
>> VRT drops those rules entirely.
>> 
>> -J
>> 
>> -----Original Message-----
>> From: leon.j.ward at gmail.com [mailto:leon.j.ward at gmail.com] On Behalf 
>> Of Leon Ward
>> Sent: Tuesday, October 19, 2010 1:52 PM
>> To: Weir, Jason
>> Cc: emerging-sigs at emergingthreats.net
>> Subject: Re: [Emerging-Sigs] Rule question
>> 
>> 
>> Hi all,
>> 
>>> I would get to choose who I get my old GPL rules from...
>> 
>> GPL rules are what they are, free for use and distribution (within the
> 
>> constraints of the the GPL); however I think i'm witnessing something 
>> about to happen here that could come back to bite people.
>> 
>> Rules have a unique identifier gid:sid:rev. With two "maintained" sets
> 
>> of rules they are no longer unique.
>> 
>> A wise man once said: "A man with one watch knows what time it is, a 
>> man with two is not so sure"..... If you have an event fire, and 
>> twelve months later you need to look back to find what rule triggered 
>> it you have problems. What 1:111:3 was it?
>> 
>> Remapping sids is also a bad idea, but for a different reason. There 
>> are many external correlation engines that use gid:sid:rev for mapping
> 
>> events to <stuff>, breaking this will anger some folks.
>> 
>> -Leon
>> 
>> 
>> On Tue, Oct 19, 2010 at 6:26 PM, Weir, Jason <jason.weir at nhrs.org> 
>> wrote:
>>> If you mean by removing them from and providing them separately from
>>> the main ruleset then I'm all for it..
>>> 
>>> I would get to choose who I get my old GPL rules from...
>>> 
>>> -J
>>> 
>>> -----Original Message-----
>>> From: emerging-sigs-bounces at emergingthreats.net
>>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Joel
>>> Esler
>>> Sent: Tuesday, October 19, 2010 1:23 PM
>>> To: evilghost at packetmail.net
>>> Cc: emerging-sigs at emergingthreats.net
>>> Subject: Re: [Emerging-Sigs] Rule question
>>> 
>>> 
>>> On Oct 19, 2010, at 1:19 PM, evilghost at packetmail.net wrote:
>>>> On 10/19/2010 12:10 PM, Joel Esler wrote:
>>>>> We do maintain the GPL rules.
>>>> 
>>>> I meant as in optimize/enhance/change/etc; yeah they're still pushed
>>>> out in the VRT packages but AFAIK you've not gone back and added the
> 
>>>> new normalized buffers, methods, etc.
>>> 
>>> Yeah, we don't put them back out separate from the free registered
>>> ruleset, correct.  Is that something of interest?
>>> 
>>> Not committing to doing it, just asking if there is interest.
>>> 
>>> --
>>> Joel Esler
>>> http://www.joelesler.net
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list