[Snort-sigs] Re: Snort-sigs digest, Vol 1 #698 - 11 msgs

Aluru Madhuri amadhuri at ...1854...
Thu Sep 11 23:25:25 EDT 2003


At 07:45 PM 9/11/03 -0700, you wrote:
>Send Snort-sigs mailing list submissions to
>         snort-sigs at lists.sourceforge.net
>
>To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-sigs
>or, via email, send a message with subject or body 'help' to
>         snort-sigs-request at lists.sourceforge.net
>
>You can reach the person managing the list at
>         snort-sigs-admin at lists.sourceforge.net
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Snort-sigs digest..."
>
>
>Today's Topics:
>
>    1. Re: quick rules for new dcom stuff (Johnathan Norman)
>    2. Re: quick rules for new dcom stuff (Sam Evans)
>    3. Re: quick rules for new dcom stuff (Jason Haar)
>    4. RE: Rule for the newest DCOM vulnerability? (Eric Hines)
>    5. Re: Netcat telnet attack signature (Matt Kettler)
>    6. Re: BAD TRAFFIC Non-Standard IP protocol (Matt Kettler)
>    7. AW: [Snort-sigs] Rule for the newest DCOM vulnerability? (Sean Wheeler)
>    8. Re: Rule for the newest DCOM vulnerability? (Brian)
>    9. RE: Rule for the newest DCOM vulnerability? (Compton, Rich)
>   10. Re: rules licensing (slightly off-topic pondering) (Matt Kettler)
>   11. Re: rules licensing (Brian)
>
>--__--__--
>
>Message: 1
>Date: Thu, 11 Sep 2003 06:42:44 -0500 (CDT)
>From: Johnathan Norman <jnorman at ...1256...>
>To: David Wilburn <dwilburn at ...8...>
>cc: snort-sigs <snort-sigs at lists.sourceforge.net>
>Subject: Re: [Snort-sigs] quick rules for new dcom stuff
>
>
>
>On Thu, 11 Sep 2003, David Wilburn wrote:
>
> > Johnathan Norman wrote:
> >
> > >I wrote these at 4am so I am sure they could be a lot better.
> > >
> > >These rules worked for the nessus scanner, microsoft scan tool, and eeye's
> > >scanner. So far I have not seen any FP's but who knows.. if your snort box
> > >explodes don't blame me. SID 2192 also picks up this traffic..
> > >
> > >alert tcp any any -> any 135 (content:"|05 00 00 03 10 00 00 00 48 00 
> 00 00 13 00 00 00 90 00 00 00 01 00 03 00 05 00 06 01 00 00 00 00 31 31 
> 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
> > >31 31 31 31 31 31 31 31 31 31 31|"; msg: "NetBios RPC DCOM DOS 
> Attempt(Xforce.net code)"; rev:1; sid:1000030;)
> > >alert tcp any any -> any 135 (content:"|eb 1c c9 11 9f e8 08 00 2b 10 48
> > >60 02 00 00 00|"; msg: "NetBios DCERPC exploit attempt (req 3)"; 
> rev:1; sid:1000028;)
> > >alert tcp any any -> any 135 (content:"|58 e9 98 00 01 00 00 00 95 96 95
> > >2a 8c da 6d 4a b236 19bc af2c 2dea 0100 0000 0100 0000 5c00|"; msg: 
> "NetBios malformed DCERPC DCOM object activation request (4)"; rev: 
> 1;sid:1000029;)
> > >
> > >
> >
> > Correct me if I'm wrong, but I believe these scan tools check for all of
> > the known RPC vulnerabilities, including both MS03-026 and MS03-039.
> >  This would mean that a scan for the older RPC vulnerability would occur
> > alongside the newer ones, and would naturally be detected by the older
> > signature.  That does not necessarily mean that a scan tool or exploit
> > designed to scan only for the newer vulnerabilities would be detected by
> > these sigs, though.  Is your rule detecting scans for the new vulns, or
> > the older one, or both?  What about SID 2192?
> >
> >
>
>mine pick up the new scans. sid 2192 alerts on the older. All 3 will
>alert using the MS scan tool.
>
>and of course the DOS rule is based on the xforce.net exploit code.. so it
>only alerts if that code is used.  You can find it at
>http://www.k-otik.com/exploits/07.21.win2kdos.c.php
>
>I basicly just took traffic dumps of from the scanners and wrote rules
>based on the payloads and what I think is going on ... I could be way off
>:)
>
>Johnathan
>
>
>
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
>--__--__--
>
>Message: 2
>Date: Thu, 11 Sep 2003 09:42:45 -0400 (EDT)
>From: Sam Evans <sam at ...219...>
>To: David Wilburn <dwilburn at ...8...>
>cc: Johnathan Norman <jnorman at ...1256...>,
>     snort-sigs <snort-sigs at lists.sourceforge.net>
>Subject: Re: [Snort-sigs] quick rules for new dcom stuff
>
>
>You are correct.  Both Eeye and Microsoft's tool scan for MS03-026 and
>MS03-039.
>
>-Sam
>
>On Thu, 11 Sep 2003, David Wilburn wrote:
>
> > Johnathan Norman wrote:
> >
> >
> > Correct me if I'm wrong, but I believe these scan tools check for all of
> > the known RPC vulnerabilities, including both MS03-026 and MS03-039.
> >  This would mean that a scan for the older RPC vulnerability would occur
> > alongside the newer ones, and would naturally be detected by the older
> > signature.  That does not necessarily mean that a scan tool or exploit
> > designed to scan only for the newer vulnerabilities would be detected by
> > these sigs, though.  Is your rule detecting scans for the new vulns, or
> > the older one, or both?  What about SID 2192?
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
>--__--__--
>
>Message: 3
>Subject: Re: [Snort-sigs] quick rules for new dcom stuff
>From: Jason Haar <Jason.Haar at ...651...>
>To: snort-sigs <snort-sigs at lists.sourceforge.net>
>Organization: Trimble Navigation
>Date: 12 Sep 2003 03:43:24 +1200
>
>On Thu, 2003-09-11 at 23:42, Johnathan Norman wrote:
> > mine pick up the new scans. sid 2192 alerts on the older. All 3 will
> > alert using the MS scan tool.
> >
>
>According to the M$ announcement, they say to block ports
>135,137,138,139,445 to block this. Are they saying this RPC
>vulnerability affects *all* those ports, or is it just ports 135/445 as
>before? (I'm assuming their suggestion is just a generalized statement
>about blocking M$ networking-related ports).
>
>--
>Cheers
>
>Jason Haar
>Information Security Manager, Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
>
>--__--__--
>
>Message: 4
>From: "Eric Hines" <loki at ...1349...>
>To: "'Compton, Rich'" <RCompton at ...1352...>,
>         <snort-sigs at lists.sourceforge.net>
>Subject: RE: [Snort-sigs] Rule for the newest DCOM vulnerability?
>Date: Wed, 10 Sep 2003 22:39:59 -0500
>
>You would be making the assumption that any upcoming worms or exploits
>will be using the same exploit that eEye's Retina uses or at least
>making the bet that they've based it on Retina which isn't the safest
>bet to make.
>
>Regards,
>
>Eric Hines
>CEO, Chairman
>Applied Watch Technologies, Inc.
>"Browserless Snort Management is Here"
>
>===============================================
>
>Eric Hines
>CEO, Chairman
>Applied Watch Technologies, Inc.
>eric.hines at ...1663...
>-----------------------------------------------
>Corporate Headquarters
>1650 Carlemont Dr.
>Suite D
>Crystal Lake, IL. 60014
>-----------------------------------------------
>Direct Toll Free: (877) 262-7593 (x327)
>Fax: (815) 425-2173
>-----------------------------------------------
>Main Switchboard: (877) 262-7593 (9am-5pm CST)
>Commercial Sales: (877) 262-7593 (opt1)
>Government Sales: (877) 262-7593 (opt2)
>
>===============================================
>
>
>-----Original Message-----
>From: Compton, Rich [mailto:RCompton at ...1352...]
>Sent: Wednesday, September 10, 2003 10:03 PM
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] Rule for the newest DCOM vulnerability?
>
>
>Anyone have a new rule for the newest Microsoft DCOM vulnerability
>(http://www.microsoft.com/technet/treeview/?url=/technet/security/bullet
>in/M
>S03-039.asp) that eEye just discovered
>(http://www.eeye.com/html/Research/Advisories/AD20030910.html)?
>
>Someone on another list suggested running eEye's Retina scanner checking
>for that vulnerability and sniffing for the traffic.  Anybody know if
>that would work?
>
>-Rich Compton
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf _______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
>
>--__--__--
>
>Message: 5
>Date: Thu, 11 Sep 2003 14:07:19 -0400
>To: "Graham, Jeffery A. MAJ - G6" <Jeffery.graham at ...1848...>,
>    "'snort-sigs at lists.sourceforge.net'" <snort-sigs at lists.sourceforge.net>
>From: Matt Kettler <mkettler at ...189...>
>Subject: Re: [Snort-sigs] Netcat telnet attack signature
>
>At 02:52 PM 9/10/2003 -0400, Graham, Jeffery A. MAJ - G6 wrote:
>
> >Alert tcp $TELNET_SERVERS any -> any any (msg:TELNET Netcat Remote Shell
> >Exploit"; flow:from_server,established; content:"|5c 77 69 63|";
>
>1) That 63 is a typo.. should be a 6e.. you've got it right later in the
>message, but this one looks for "\wic"
>2) Why do the signature in hex? "\win" is much clearer, and can be done on
>a nocase basis. And given window's lack of case sensitivity \WINDOWS is the
>same as \windows.
>
>
>
>
> >alert tcp $TELNET_SERVERS any -> $HOME_NET any (msg:"TELNET Netcat shell
> >exploit"; flow:from_server,established; content:"|3e|";
> >reference:http://www.atstake.com/research/tools/network_utilities/nc11nt. 
> txt;classtype:shellcode-detect;rev:1;)
>
>You are detecting a ">" from a telnet server as a sign of exploit? Ouch
>dude. Any time anyone does a file redirection that's going to fire off. Or
>do you not do things like:
>          grep "10\.1\.2\.1" snort.log > alertsfrom_10.1.2.1
>
>
>
>--__--__--
>
>Message: 6
>Date: Thu, 11 Sep 2003 14:13:21 -0400
>To: daniel.haslinger at ...1846..., snort-sigs at lists.sourceforge.net
>From: Matt Kettler <mkettler at ...189...>
>Subject: Re: [Snort-sigs] BAD TRAFFIC Non-Standard IP protocol
>
>At 04:09 PM 9/10/2003 +0200, Dani=E9l Haslinger wrote:
> >Comment: The Author if the original rule forgot to include IP_PROTO:!17
> >(UDP), without this Snort will trigger every UDP Packet as BAD TRAFFIC Non-
> >Standard IP protocol, but UDP in my opinion IS!
>
>While you have a valid point, you should make clear that the rule in=20
>question, sid:1620, is as far as I know not a part of the active snort=
>  ruleset.
>
>There's a reason why "deleted.rules" is called "deleted"... they're known=20
>to be ineffective and/or broken :)
>
>At least, it was in deleted.rules in 2.0.1, I haven't checked the latest=20
>cvs's. I can't imagine anyone would have resurrected it from the trashheap=
>=20
>without fixing it first.
>
>
>
>
>
>
>--__--__--
>
>Message: 7
>From: "Sean Wheeler" <s.wheeler at ...944...>
>To: <snort-sigs at lists.sourceforge.net>
>Subject: AW: [Snort-sigs] Rule for the newest DCOM vulnerability?
>Date: Thu, 11 Sep 2003 20:19:17 +0200
>
>Thanks for the early rules !
>Much appreciate your effort to get something posted to this list asap as
>it's alot better than sitting in the dark having nothing.
>Considering the list is here to discuss and help each other, your effort is
>much appreciated.
>
>regards
>Sean
>
>-----Ursprungliche Nachricht-----
>Von: snort-sigs-admin at lists.sourceforge.net
>[mailto:snort-sigs-admin at lists.sourceforge.net]Im Auftrag von Eric Hines
>Gesendet: Donnerstag, 11. September 2003 05:40
>An: 'Compton, Rich'; snort-sigs at lists.sourceforge.net
>Betreff: RE: [Snort-sigs] Rule for the newest DCOM vulnerability?
>
>
>You would be making the assumption that any upcoming worms or exploits
>will be using the same exploit that eEye's Retina uses or at least
>making the bet that they've based it on Retina which isn't the safest
>bet to make.
>
>Regards,
>
>Eric Hines
>CEO, Chairman
>Applied Watch Technologies, Inc.
>"Browserless Snort Management is Here"
>
>===============================================
>
>Eric Hines
>CEO, Chairman
>Applied Watch Technologies, Inc.
>eric.hines at ...1663...
>-----------------------------------------------
>Corporate Headquarters
>1650 Carlemont Dr.
>Suite D
>Crystal Lake, IL. 60014
>-----------------------------------------------
>Direct Toll Free: (877) 262-7593 (x327)
>Fax: (815) 425-2173
>-----------------------------------------------
>Main Switchboard: (877) 262-7593 (9am-5pm CST)
>Commercial Sales: (877) 262-7593 (opt1)
>Government Sales: (877) 262-7593 (opt2)
>
>===============================================
>
>
>-----Original Message-----
>From: Compton, Rich [mailto:RCompton at ...1352...]
>Sent: Wednesday, September 10, 2003 10:03 PM
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] Rule for the newest DCOM vulnerability?
>
>
>Anyone have a new rule for the newest Microsoft DCOM vulnerability
>(http://www.microsoft.com/technet/treeview/?url=/technet/security/bullet
>in/M
>S03-039.asp) that eEye just discovered
>(http://www.eeye.com/html/Research/Advisories/AD20030910.html)?
>
>Someone on another list suggested running eEye's Retina scanner checking
>for that vulnerability and sniffing for the traffic.  Anybody know if
>that would work?
>
>-Rich Compton
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf _______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
>--__--__--
>
>Message: 8
>Date: Thu, 11 Sep 2003 15:27:34 -0400
>From: Brian <bmc at ...95...>
>To: "Compton, Rich" <RCompton at ...1352...>
>Cc: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Rule for the newest DCOM vulnerability?
>
>On Wed, Sep 10, 2003 at 10:02:47PM -0500, Compton, Rich wrote:
> > Anyone have a new rule for the newest Microsoft DCOM vulnerability
> > 
> (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/M
> > S03-039.asp) that eEye just discovered
> > (http://www.eeye.com/html/Research/Advisories/AD20030910.html)?
>
>Right now, the only pointer I've been able to come up with is looking
>for the System Activator bind attempt.  These were commited today, but
>sourceforge delay = post to here as well.
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote 
>Activation bind attempt"; content:"|05|"; distance:0; within:1; 
>content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; 
>content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; 
>within:16; tag:session,5,packets; reference:cve,CAN-2003-0352; 
>classtype:attempted-admin; 
>reference:url,www.microsoft.com/technet/security/bulletin/MS03-029.asp; 
>reference:cve,CAN-2003-0715; sid:2251; rev:2;)
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC 
>Remote Activation bind attempt"; flow:to_server,established; 
>content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; 
>distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; 
>nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; 
>content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; 
>content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; 
>within:16; tag:session,5,packets; classtype:attempted-admin; 
>reference:cve,CAN-2003-0352; 
>reference:url,www.microsoft.com/technet/security/bulletin/MS03-029.asp; 
>reference:cve,CAN-2003-0715; sid:2252; rev:2;)
>
>
>--__--__--
>
>Message: 9
>From: "Compton, Rich" <RCompton at ...1352...>
>To: 'Brian' <bmc at ...95...>
>Cc: snort-sigs at lists.sourceforge.net
>Subject: RE: [Snort-sigs] Rule for the newest DCOM vulnerability?
>Date: Thu, 11 Sep 2003 14:31:19 -0500
>
>Brian, I think you've got a typo in your url reference.  You've got:
>www.microsoft.com/technet/security/bulletin/MS03-029.asp
>and it should be a 39 at the end there:
>www.microsoft.com/technet/security/bulletin/MS03-039.asp
>
>-Rich Compton
>
>-----Original Message-----
>From: Brian [mailto:bmc at ...95...]
>Sent: Thursday, September 11, 2003 2:28 PM
>To: Compton, Rich
>Cc: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Rule for the newest DCOM vulnerability?
>
>
>On Wed, Sep 10, 2003 at 10:02:47PM -0500, Compton, Rich wrote:
> > Anyone have a new rule for the newest Microsoft DCOM vulnerability
> >
>(http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/M
> > S03-039.asp) that eEye just discovered
> > (http://www.eeye.com/html/Research/Advisories/AD20030910.html)?
>
>Right now, the only pointer I've been able to come up with is looking
>for the System Activator bind attempt.  These were commited today, but
>sourceforge delay = post to here as well.
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote
>Activation bind attempt"; content:"|05|"; distance:0; within:1;
>content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
>content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29;
>within:16; tag:session,5,packets; reference:cve,CAN-2003-0352;
>classtype:attempted-admin;
>reference:url,www.microsoft.com/technet/security/bulletin/MS03-029.asp;
>reference:cve,CAN-2003-0715; sid:2251; rev:2;)
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Remote
>Activation bind attempt"; flow:to_server,established; content:"|FF|SMB|25|";
>nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2;
>content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12;
>content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1;
>byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF
>6E 7C 57|"; distance:29; within:16; tag:session,5,packets;
>classtype:attempted-admin; reference:cve,CAN-2003-0352;
>reference:url,www.microsoft.com/technet/security/bulletin/MS03-029.asp;
>reference:cve,CAN-2003-0715; sid:2252; rev:2;)
>
>
>--__--__--
>
>Message: 10
>Date: Thu, 11 Sep 2003 16:34:17 -0400
>To: Milani Paolo <Paolo.Milani at ...1843...>, snort-sigs at lists.sourceforge.net
>From: Matt Kettler <mkettler at ...189...>
>Subject: Re: [Snort-sigs] rules licensing (slightly off-topic pondering)
>
>At 07:20 PM 9/10/2003 +0200, Milani Paolo wrote:
> >if free-ids.org develops a new opensource ids software that can read snort
> >syntax, can he ship snort rule files with it? does this force him to go
> >GPL for his entire project (rather than use some other free software 
> license)
>
>Well, I'm unsure if the rules are GPL licensed or some other license,
>however I'm going to assume that they are for the purpose of this
>discussion. It's somewhat implied that they are, but not explicitly stated,
>someone from Sourcefire would have to clarify this point.
>
>Disclaimer in advance: I'm neither a lawyer, nor a copyright holder of
>snort. If you want an authoritative answer, ask a lawyer and/or someone
>from Sourcefire. I'm just pontificating, and don't mistake me as knowing
>what I'm talking about.
>
>Overall, my best suggestion is to try to get an answer about your specific
>situation from Sourcefire. Clearly if they say they have no problem with
>it, you're not likely to have any problems. If they have objections, try to
>work something out with them which isn't objectionable and still within
>reason. By and large they're pretty reasonable people.
>
>As for the facts, I can only answer the distribution part of your question.
>It is quite common practice to have a GPL piece of software, compiled as a
>stand-alone binary from publicly available source code, be called upon by a
>separate closed source application. A large number of commercial embedded
>tools use GCC as a complier back-end (for example Wind River's VxWorks).
>However, said closed-source is really a completely separate entity ie: not
>linked to the code in any way, merely calling the OS's exec functions to
>make GCC run.  Also RedHat ships CD's containing packages with a wide
>variety of licenses, not just GPL, and not all compatible with GPL.
>
>Hence, merely distributing a GPL product does not require all products
>distributed to be GPL, even if the products are distributed together, and
>even if one uses the output of another, as long as they are separate
>entities. That's pretty well established. The GPLed items still need GPLish
>treatment, but that doesn't inherently require GPL treatment of separate
>binaries shipped at the same time.
>
>It's a bit unclear if the snort rule files are considered a separate item
>under the GPL, if they are even GPL licensed in the first place. However,
>if you can find the answer to that, the above should hold true.  My
>instinctive feel is that it would be hard to claim that the rule files are
>somehow a part of the program that reads them, thus can be considered a
>stand-alone element if they are GPLed. Doing something involving linking
>the entire textfiles directly into your binary executable could probably
>cause it to be considered single entity, but I can't imagine why anyone
>would do that in the first place. However, I'm not in a position to give a
>"real" answer on this, and that's strictly an opinion with no relative
>weight or authority.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>--__--__--
>
>Message: 11
>Date: Thu, 11 Sep 2003 21:07:08 -0400
>From: Brian <bmc at ...95...>
>To: Milani Paolo <Paolo.Milani at ...1843...>
>Cc: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] rules licensing
>
>On Wed, Sep 10, 2003 at 07:20:58PM +0200, Milani Paolo wrote:
> > I am wondering about what the licensing policy is for the snort rules 
> being distributed. The rules files themselves do not have the GPL notice 
> that can be found at the head of snort source files, only a copyright 
> notice. But they are available for everyone to download, and are a result 
> of collaborative work from the snort community. So what is the policy 
> about copying/distributing snort rule files (the ones downloaded from the 
> snort site, or modified versions thereof)?
>
>We've been down this road many times.  The rules are licensed as GPL.
>
>You can distribute rules in the same fashion as anything else GPLed.
>BTW, many IDS companies support snort rules.  Correction, many companies
>support a subset of the features provided by snort rules.
>
> > Examples: can whoever modify some snort rules and put them up on a 
> webserver for everyone to use?
>
>Sure.  As long as the rules are GPLed.
>
> > if free-ids.org develops a new opensource ids software that can read 
> snort syntax, can he ship snort rule files with it? does this force him 
> to go GPL for his entire project (rather than use some other free 
> software license)?
>
>Nope, just the rules.
>
> > if make-money-with-ids.com sells a NIDS developed from scratch but 
> compatible with snort syntax, can he ship those rule files with it? can 
> their customers download the rule files themselves?
>
>Sure, as long as they are shipped in a GPL compatable manor.  A number
>of IDS vendors do this.  We (the snort team) would prefer if you published
>the fact you are using our rules up front.  Intrusion.com has been
>shipping our rules for a long time, only to add a comment [0] after we
>bitched.
>
>-brian
>
>[0] Of course, the comment went from how their user community wrote the
>     rules to how the user community wrote the rules or maybe but
>     unlikely other sites like snort.org & whitehats.com might have
>     contributed some of them.
>
>
>
>--__--__--
>
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>End of Snort-sigs Digest





More information about the Snort-sigs mailing list