[Snort-sigs] bleeding -> snort rules?

Rich Adamson radamson at ...908...
Sat Dec 3 09:52:02 EST 2005

> > Is there any effort going on by anyone to move rules from the bleeding
> > groups to the official snort rules (after some proof the bleeding rules
> > are not really bleeding anymore)?
> Not really. You'll find that a lot of rules are not "bleeding" anymore.
> They have matured over time due to continues improvement. We have a
> group of admins that on a regular basis review existing rules and
> continuously tweak and improve them.
> If we were to hand all rules over to Snort community, we would loose the
> ability to continually work on rules.
> That said, if they are duplicates in the rules sets, we work with the
> Community guys to get rules transitioned and moved. There might be a
> case or two where we have very similar rules, but the Bleeding rule
> seems like a better rule. We need to figure out if Community moves them
> to us, or if we both should keep them around. Personally, I'd like to
> run the version with better hit rate but less false positives, so there
> might be cases where I have a Snort or Community rule turned off and a
> similar Bleeding rule turned on.
> I think both Community and Bleeding rule repositories are mature and
> here to stay. I don't think either one would go away, so you will always
> have to manage these two (and perhaps other) repositories. Community
> Snort and Bleeding are working together to bring you the best open
> source IDS rules (and apparently the only open source rules). We
> actually improve each other rules too,and re work together to spot and
> remove duplicates.
> If you were referring to moving rules into the VRT rule set, I can tell
> that would never happen. The VRT rule set is restricted by a license
> that is not compatible with the Bleeding (or Community) license. So
> neither a Community (I would hope), nor a Bleeding rule would be moved
> into the license encumbered VRT rule set.
> Does that answer your question? If not, feel free to ask again in the
> OSSRC mail list. The OSSRC, or Open Source Snort Rule Consortium, has
> been formed to formally organize the cooperation between rule
> repositories like Community, Bleeding, and hopefully others. Anyone that
> maintains a public set of rules (like the old WhiteHat rules) is
> encouraged to join the OSSRC so that we may all work together on
> bringing you the best rules for the best IDS there is.

Yes, the above makes sense. It kind of bothers me that a significant
number of bleeding rules have been around for a while (and are very good),
but the naming convention (and process) essentially implies they are all
still bleeding-edge.

Based on previous postings relative to ossrc, the implication was that 
production quality rules would be moved from bleeding into some snort sort
of open-source rule set (eg, community).

Apparently, I'm being overly sensitive to words...


More information about the Snort-sigs mailing list