[Snort-users] snort rules

Matt Kettler mkettler at ...4108...
Thu Apr 28 16:41:45 EDT 2005


Paul Schmehl wrote:

> --On Thursday, April 28, 2005 06:01:01 PM -0400 Matt Kettler
> <mkettler at ...4108...> wrote:
>
>>
>> You only have to pay to get the rules written by sourcefire's VRT group
>> in a timely fashion. You can get them for free with a 5 day delay.
>>
>> Community written rules are also still freely updated on a timely basis.
>>
> The more I think about this, the more I like it.  The only people this
> change penalizes are vendors who *used* to "steal" snort without
> giving Sourcefire and Marty any credit and who want to convince their
> customers that they *always* have the latest and greatest rules (so
> they can't afford to wait the five days.)  And that's exactly why this
> change was made.
>
> The average schmoo like me can get their rules from anywhere or write
> their own.  And five days after the "big boys" get theirs, I have the
> *same* rules they do.
>
> Seems like a win-win to me. 

Yep, and really the 5 day delay for the VRT rules was actually in effect
a LONG time ago. It's been in effect for the snort community for so long
you probably never realized it was there.

Previously, the *only* way to get VRT rules quickly was to own a
Sourcefire IDS device. A open-source snort user had to wait 5 days. This
has been the state of things for several years.



More information about the Snort-users mailing list