[Snort-sigs] bleeding -> snort rules?
radamson at ...908...
Sat Dec 3 09:52:02 EST 2005
> > Is there any effort going on by anyone to move rules from the bleeding
> > groups to the official snort rules (after some proof the bleeding rules
> > are not really bleeding anymore)?
> Not really. You'll find that a lot of rules are not "bleeding" anymore.
> They have matured over time due to continues improvement. We have a
> group of admins that on a regular basis review existing rules and
> continuously tweak and improve them.
> If we were to hand all rules over to Snort community, we would loose the
> ability to continually work on rules.
> That said, if they are duplicates in the rules sets, we work with the
> Community guys to get rules transitioned and moved. There might be a
> case or two where we have very similar rules, but the Bleeding rule
> seems like a better rule. We need to figure out if Community moves them
> to us, or if we both should keep them around. Personally, I'd like to
> run the version with better hit rate but less false positives, so there
> might be cases where I have a Snort or Community rule turned off and a
> similar Bleeding rule turned on.
> I think both Community and Bleeding rule repositories are mature and
> here to stay. I don't think either one would go away, so you will always
> have to manage these two (and perhaps other) repositories. Community
> Snort and Bleeding are working together to bring you the best open
> source IDS rules (and apparently the only open source rules). We
> actually improve each other rules too,and re work together to spot and
> remove duplicates.
> If you were referring to moving rules into the VRT rule set, I can tell
> that would never happen. The VRT rule set is restricted by a license
> that is not compatible with the Bleeding (or Community) license. So
> neither a Community (I would hope), nor a Bleeding rule would be moved
> into the license encumbered VRT rule set.
> Does that answer your question? If not, feel free to ask again in the
> OSSRC mail list. The OSSRC, or Open Source Snort Rule Consortium, has
> been formed to formally organize the cooperation between rule
> repositories like Community, Bleeding, and hopefully others. Anyone that
> maintains a public set of rules (like the old WhiteHat rules) is
> encouraged to join the OSSRC so that we may all work together on
> bringing you the best rules for the best IDS there is.
Yes, the above makes sense. It kind of bothers me that a significant
number of bleeding rules have been around for a while (and are very good),
but the naming convention (and process) essentially implies they are all
Based on previous postings relative to ossrc, the implication was that
production quality rules would be moved from bleeding into some snort sort
of open-source rule set (eg, community).
Apparently, I'm being overly sensitive to words...
More information about the Snort-sigs