[Snort-users] RE: Demarc Certified Open Signatures

James Affeld jamesaffeld at ...131...
Wed Mar 2 16:28:12 EST 2005


Your Snort rule description database appears to have
been lifted from the snort website with only minor
changes, at least for this example.  

http://www.snort.org/snort-db/sid.html?sid=1632
http://snort.demarc.com/signatures/Chat_Session_Rules/1632/

Is it a stretch to call it "our" database?  What is
the % of original content there? (Meter by snort rule)

> 
> Message: 2
> Date: Wed, 2 Mar 2005 15:04:04 -0800 (PST)
> Subject: RE: [Snort-users] Demarc Certified Open
> Signatures
> From: "Demarc Security" <snort_ml at ...2629...>
> To: <snort-users at lists.sourceforge.net>
> 

<redacted>
> 
> To Bamm's point on copyrights, The details about who
> wrote/contributed to each
> individual rule is available through our Snort rule
> description database
> interface at the community portal:
> 
> http://snort.demarc.com/signatures/
> 
> As for the downloads, we originally had separate
> contributer lines for each
> individual rule to give everyone credit who worked
> on the rules such as all
> the people who have contributed rules on the
> snort-sigs mailing list and all
> the rules that originally came from whitehats,
> however this made the file
> bulky and hard to visually parse.  We will however
> have the script that
> interfaces with the rules database and creates these
> downloads reinsert the
> general catchall line crediting marty, brian, "et
> al" to make sure that there
> is no misinterpretation of our intentions.
> 
> Thanks for pointing that out!
> 
> Ashlyn Reznik
> Demarc Threat Research Team
> Email: areznik at ...4451...
> http://www.demarc.com/products/
> 
> 
> --------   Original Message   --------
> Date: Wed, March 2, 2005 10:18 am
> From: "Ron Jenkins" <rjenkins at ...12829...>
> To:   "Demarc Security" <snort_ml at ...2629...>
> Subject: RE: [Snort-users] Demarc Certified Open
> Signatures
> 
> > Will oinkmaster work with the rules downloads?
> >
> > Thanks...
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]
> On Behalf Of Demarc
> > Security
> > Sent: Wednesday, March 02, 2005 12:09 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Demarc Certified Open
> Signatures
> >
> >
> >
> >
> > Since our inception in 2001, Demarc has been
> committed to promoting secure
> > Internet use by providing free versions of our
> products for users at home.
> > We believe that because we use Open Source
> technology such as Linux and
> > Snort,
> > that we should give back to the security community
> as a whole.  We have
> > continued to fulfill this commitment, most
> recently with the release of our
> > Sentarus HomeAdmin Edition, which allows people to
> deploy some of our latest
> > security technology in their home lab environments
> at no cost.
> >
> > In addition to our Sentarus and PureSecure
> products, our customers have also
> > benefited from the expertise of our Threat
> Research Team which has, to date,
> > been tasked with verifying rule stream updates and
> educating customers on
> > the
> > detailed workings of Snort technology. In light of
> some upcoming
> > changes,
> > we're now expanding our research team and formally
> announcing our new
> > "Certified Open Signatures" program.  Our
> Certified Open Signatures program,
> > which will be universally available to the entire
> community, is founded on
> > these two principles:
> >
> >     1)  Like the Snort program itself, the latest
> rule signatures should
> >         always be available for free because
> strong computer and network
> > security are in everyone's best interests.
> >
> >     2)  The best way for a company to serve a
> community project is to
> >         remain true to the original goals of that
> project and refrain from
> > charging for vital components that have always
> been
> >         community-driven and free.
> >
> > We make this announcement now, as we have recently
> received notice from
> > Sourcefire that, as of next week, early access to
> all future Snort
> > signatures
> > they create will be based on a subscription model.
> >
> > The Sourcefire license changes as they were
> presented to us are:
> >
> >     - All rule updates will be a minimum of five
> days older than those
> >       Sourcefire sells to their customers, and you
> will be required to
> > register to receive them or to wait for the next
> major Snort release.
> >
> >    -  To receive the latest rules any sooner, you
> will have to pay
> >       Sourcefire a rule subscription fee.
> >
> > We sincerely respect the efforts of the Sourcefire
> Snort development group
> > along with the numerous others who created the
> base technology and rulesets
> > that have made Snort a household name in the
> security community.
> > However, one
> > of the greatest benefits of using Snort is the
> community review process
> > which
> > will now be subject to an imposed arbitrary delay.
> >
> > At Demarc, our commitment to the security
> community is simple:
> >
> >    -  Demarc will maintain
> http://snort.demarc.com/ as a community
> > portal
> >       for Snort signatures and Snort-based
> technology.  (This site is meant
> > to augment and not replace snort.org or the
> snort-sigs mailing list.)
> >
> >    -  Demarc will produce and revise rules, as
> well as collaborate with
> >       active groups to bring together the best
> rules from all community
> > sources.  User sites such as Bleeding Snort have
> been at the forefront
> > of new signature development and we view these
> groups' contributions
> > as invaluable.  Our goal is to work with these
> groups and to serve as
> > the trusted source for certified,
> >       production level rulesets.
> >
> >    -  Demarc's Threat Research Team will continue
> to provide the latest
> >       cutting-edge and Demarc Certified rules,
> making them immediately
> > available for public download and contribution.
> >
> >    -  Demarc will not charge for the download,
> use, or modification of
> >       rules hosted on this site.
> >
> > Our community portal at http://snort.demarc.com/
> will continually evolve
> > over
> > the next several weeks to offer more features,
> including direct user
> > interaction. Our community portal will also become
> the new home for the
> > SPADE
> > statistical packet anomaly detection project and
> SnortSnarf, two
> > projects
> > originally managed by SiliconDefense and
> subsequently transferred to Demarc.
> >
> > We welcome your support on these projects through
> signature review and
> > submissions, and, as with all community projects,
> your feedback is always
> > welcome to help make it better.
> >
> > Sincerely,
> >
> >
> > Ashlyn Reznik
> > Demarc Threat Research Team
> > Email: areznik at ...4451...
> > http://www.demarc.com/products/
> >
> >
> >
> >
> >
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> -------- End Original Message --------
> 
> 
> 
> 
> 
> --__--__--
> 
> Message: 3
> Subject: RE: [Snort-users] Snort isn't doing
> anything..
> Date: Wed, 2 Mar 2005 17:11:45 -0600
> From: "Harper, Patrick" <Patrick.Harper at ...11593...>
> To: "Marc Hering" <mhering at ...13116...>,
> 	<snort-users at lists.sourceforge.net>
> 
> Is it a true hub, some hubs are really switches=2E 
> The archives have a=0D=
> =0Alot about this issue=2E  What make and model?
> =0D=0A=0D=0A-----Original =
> Message-----=0D=0AFrom: Marc Hering
> [mailto:mhering at ...13118...=2Ecom] =0D=0ASent=
> : Wednesday, March 02, 2005 4:09 PM=0D=0ATo:
> snort-users at ...7287...=2Esourceforg=
> e=2Enet=0D=0ASubject: [Snort-users] Snort isn't
> doing anything=2E=2E=0D=0A=
> =0D=0AHey Everyone=2E=2E=2E=0D=0A=0D=0AI just setup
> my first snort box runn=
> ing on Fedora Core 3=2E  I
> installed=0D=0Aeverything, including ACID and st=
> arted snort up=2E=2E=2EIt starts up just
> fine=0D=0Aand a ps auxww |grep sno=
> rt shows that the app is running=2E=2E=0D=0A
> =0D=0A502       3740  0=2E7 14=
> =2E5 41444 37196 ?       Ss   16:56  
> 0:01=0D=0A/usr/local/bin/snort -c /us=
> r/local/snort/etc/snort=2Econf -i eth1
> -g=0D=0Asnortgroup -D -u snortuser=
> =0D=0A=0D=0A =0D=0AHowever, If I run an nmap scan
> (doesn't matter what opti=
> ons) on any host=0D=0Aon my network (Snort can see
> it, it's on a hub) it do=
> esn't log anything=2E=0D=0ASo far it's only logged 1
> alert for a SQL scan=
> =2E=2E  I have tried updating=0D=0Athe rules to no
> avail=2E=2E=2E=0D=0A =0D=
> =0AMy snort=2Econf is the default out of the box
> setup, the only things i=
> =0D=0Ahave changed are as  follows=0D=0A
> =0D=0A***********************Chang=
> ed items
>
in=0D=0Asnort=2Econf********************************=0D=0Avar
> RULE=
> _PATH /usr/local/snort/rules=0D=0A =0D=0A
> =0D=0Aoutput database: log, mysql=
> ,
>
user=3Dthepropersnortuser=0D=0Apassword=3Dsnortuserspassword
> dbname=3Dthe=
> snortdatabase host=3Dlocalhost=0D=0A  (Names have
> been changed to protect t=
> he innocent  :) )=0D=0A =0D=0A output alert_syslog:
> LOG_LOCAL3=0D=0A output=
>  alert_fast: snort=2Elog=0D=0A output alert_full:
> alert=2Efull=0D=0A*******=
>
*****************************************=0D=0A=0D=0A
> =0D=0A =0D=0AFrom wha=
> t I can understand=2E=2E=2E=2Ethis SHOULD work, is
> there something I=0D=0Ah=
> ave missed????=0D=0A
>
=0D=0AThanks=0D=0A=0D=0A=0D=0A=0D=0A------------------=
> -----------------------=0D=0ADisclaimer:  This
> electronic message, includin=
> g any attachments, is=0D=0Aconfidential and intended
> solely for use of the =
> intended recipient(s)=2E This=0D=0Amessage may
> contain information that is =
> privileged or otherwise protected=0D=0Afrom
> disclosure by applicable law=2E=
>  Any unauthorized disclosure,=0D=0Adissemination,
> use or reproduction is st=
> rictly prohibited=2E If you have=0D=0Areceived this
> message in error, pleas=
> e delete it and notify the
> sender=0D=0Aimmediately=2E=0D=0A
> 
> 
> --__--__--
> 
> Message: 4
> To: Matt Kettler <mkettler at ...4108...>
> Cc: snort-users at lists.sourceforge.net,
> 	snort-users-admin at lists.sourceforge.net
> Subject: Re: [Snort-users] uricontent questions
> From: Brad W Rothwell <ROTHBW at ...1871...>
> Date: Wed, 2 Mar 2005 16:29:22 -0700
> 
> This is a multipart message in MIME format.
> --=_alternative 0080FA4187256FB8_=
> Content-Type: text/plain; charset="US-ASCII"
> 
> I changed it to a more generic form. 
> alert tcp any any <> any any (msg: "foo found"; 
> uricontent:"foo"; nocase;)
> and it still does not trip an alert.  Ideas?
> 
> Brad Rothwell
> INL/ICP Cyber Security
> 
> 
> 
> 
> Matt Kettler <mkettler at ...4108...> 
> Sent by: snort-users-admin at lists.sourceforge.net
> 03/02/2005 02:43 PM
> 
> To
> Brad W Rothwell <ROTHBW at ...1871...>,
> snort-users at lists.sourceforge.net
> cc
> 
> Subject
> Re: [Snort-users] uricontent questions
> 
> 
> 
> 
> 
> 
> At 02:54 PM 3/2/2005, Brad W Rothwell wrote:
> >All,  I recently installed snort 2.3.0.  My
> understanding is that I can 
> >use uricontent to search for strings as they appear
> in the browser 
> address 
> >location bar.  For example, if the address location
> is 
> ><http://foo.com/>http://foo.com the following rule
> should alert.
> >
> >alert tcp any any <> $HTTP_SERVERS any (msg: "foo
> found"; 
> >uricontent:"foo"; nocase;)
> >
> >I have http_inspect set to the following
> >preprocessor http_inspect: global \
> >     iis_unicode_map unicode.map 1252
> >
> >preprocessor http_inspect_server: server default \
> >     profile all ports { 80 8080 8180 }
> oversize_dir_length 500 
> flow_depth 0
> >
> >The rule does not alert.  Am I missing something.
> 
> 
> what is HTTP_SERVERS set to? The above rule will
> only alert if the server 
> for foo.com is actualy a part of that net range.
> 
> 
> 
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> --=_alternative 0080FA4187256FB8_=
> Content-Type: text/html; charset="US-ASCII"
> 
> 
> <br><font size=2 face="sans-serif">I changed it to a
> more generic form.
>  </font>
> <br><font size=2><tt>alert tcp any any <> any
> any (msg: "foo
> found"; <br>
> uricontent:"foo"; nocase;)</tt></font>
> <br><font size=2><tt>and it still does not trip an
> alert.  Ideas?</tt></font>
> <br>
> <br><font size=2 face="sans-serif">Brad Rothwell<br>
> INL/ICP Cyber Security<br>
> </font>
> <br>
> <br>
> <br>
> <table width=100%>
> <tr valign=top>
> <td width=40%><font size=1 face="sans-serif"><b>Matt
> Kettler <mkettler at ...4108...></b>
> </font>
> <br><font size=1 face="sans-serif">Sent by:
> snort-users-admin at lists.sourceforge.net</font>
> <p><font size=1 face="sans-serif">03/02/2005 02:43
> PM</font>
> <td width=59%>
> <table width=100%>
> <tr valign=top>
> <td>
> <div align=right><font size=1
> face="sans-serif">To</font></div>
> <td><font size=1 face="sans-serif">Brad W Rothwell
> <ROTHBW at ...1871...>,
> snort-users at lists.sourceforge.net</font>
> <tr valign=top>
> <td>
> <div align=right><font size=1
> face="sans-serif">cc</font></div>
> <td>
> <tr valign=top>
> <td>
> <div align=right><font size=1
> face="sans-serif">Subject</font></div>
> <td><font size=1 face="sans-serif">Re: [Snort-users]
> uricontent questions</font></table>
> <br>
> <table>
> <tr valign=top>
> <td>
> <td></table>
> <br></table>
> <br>
> <br>
> <br><font size=2><tt>At 02:54 PM 3/2/2005, Brad W
> Rothwell wrote:<br>
> >All,  I recently installed snort 2.3.0.
>  My understanding
> is that I can <br>
> >use uricontent to search for strings as they
> appear in the browser
> address <br>
> >location bar.  For example, if the address
> location is <br>
> ><http://foo.com/>http://foo.com the
> following rule should alert.<br>
> ><br>
> >alert tcp any any <> $HTTP_SERVERS any
> (msg: "foo found";
> <br>
> >uricontent:"foo"; nocase;)<br>
> ><br>
> >I have http_inspect set to the following<br>
> >preprocessor http_inspect: global \<br>
> >     iis_unicode_map unicode.map
> 1252<br>
> ><br>
> >preprocessor http_inspect_server: server default
> \<br>
> >     profile all ports { 80 8080 8180
> } oversize_dir_length
> 500 flow_depth 0<br>
> ><br>
> >The rule does not alert.  Am I missing
> something.<br>
> <br>
> <br>
> what is HTTP_SERVERS set to? The above rule will
> only alert if the server
> <br>
> for foo.com is actualy a part of that net range.<br>
> <br>
> <br>
> <br>
> <br>
> <br>
>
-------------------------------------------------------<br>
> SF email is sponsored by - The IT Product Guide<br>
> Read honest & candid reviews on hundreds of IT
> Products from real users.<br>
> Discover which products truly live up to the hype.
> Start reading now.<br>
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click<br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> Snort-users at lists.sourceforge.net<br>
> Go to this URL to change user options or
> unsubscribe:<br>
>
https://lists.sourceforge.net/lists/listinfo/snort-users<br>
> Snort-users list archive:<br>
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users<br>
> </tt></font>
> <br>
> --=_alternative 0080FA4187256FB8_=--
> 
> 
> --__--__--
> 
> Message: 5
> Date: Thu, 03 Mar 2005 00:30:32 +0100
> From: Laurent Haond <lhaond at ...13100...>
> To:  snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort-inline and iptables
> INPUT chain
> 
> Big Thanks for your help Will !
> 
> Will Metcalf a écrit :
> 
> >Nothing is showing up in your alert logs? Is it
> just ssh or does this
> >happen with all connections?  Try the following....
> >
> >  
> >
> No alert, no dump.
> It happen for all TCP connections ( tested http as
> well)
> It work for udp/icmp (dns queries / ping works )
> With advanced  firewall rules, forwarded
> tcp/udp/icmp/whatever 
> connections were OK.
> but nothing works from lan to the snort box ...
> (didn't try from 
> internet to the snort box)
> 
> >iptables -F INPUT
> >iptables -F OUPUT
> >iptables -F FORWARD
> >iptables -A INPUT -i lo -j ACCEPT
> >iptables -A INPUT  -j QUEUE
> >iptables -A FORWARD -j QUEUE 
> >iptables -A OUPUT -j QUEUE
> >
> >in your snort.conf set checksum mode to none.
> >
> >config checksum_mode: none
> >
> >Regards,
> >
> >Will
> >  
> >
> 
> Adding "config checksum_mode: none" did the job, now
> it works. (BTW with 
> or without the iptables -A INPUT -i lo -j ACCEPT
> rule )
> I relauched my complete set of firewall rules/
> internet connections and 
> it's still working ;-)
> ( I've some alert about lo / 127.0.01 but they will
> be easy to avoid 
> bypassing the queue..)
> 
> "Googling" on this config directive, i think i could
> have found it by my 
> self (there is some threads on this list about
> ssh/tcp issue and this 
> directive),
> so i'm sorry if  i've mafe you lose your time...
> 
> Let me, please, ask you some more questions :
> why are forwarded checksum ok, but some ssh replies
> corrupted ?
> Is this an issue from kernel / iptables / snort ?
> (i'm using 2.4.27 kernel / iptables 1.2.11 ... going
> to upgrade to 1.3.x 
> soon)
> 
> Thanks
> 
> Regards
> 
> Laurent
> 
> ps:sorry for my bad english...
> 
> 
> --__--__--
> 
> Message: 6
> Reply-To: <spamtrap at ...9077...>
> From: "Michael Steele" <michaels at ...9077...>
> To: "'Snort Users Postings'"
> <snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] Demarc Certified Open
> Signatures
> Date: Wed, 2 Mar 2005 16:05:07 -0800
> 
> Remember this one thing; If not for the dedication
> of pre-Sourcefire
> contributions from others, Snort would not be where
> it is today, and this
> goes for Sourcefire.
> 
> This is only the beginning. Does it seem
> inconceivable that in the future
> Snort builds might be treated the same as the rules
> are. If it's OK to do
> this with the rules, then where does it stop...
> 
> Kindest regards, 
> Michael...
> 
> WINSNORT.com Management Team Member
> -- 
> Pick up your FREE Windows or UNIX Snort installation
> guides       
> mailto:support at ...9077...
> Website: http://www.winsnort.com
> Snort: Open Source Network IDS -
> http://www.snort.org
> 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-
> > admin at lists.sourceforge.net] On Behalf Of Bob
> Konigsberg
> > Sent: Wednesday, March 02, 2005 2:31 PM
> > To: 'Bamm Visscher'; 'Demarc Security'
> > Cc: snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Demarc Certified Open
> Signatures
> > 
> > I don't think that's the key point here.  This has
> already happened with
> > Nessus and Snort - that is, people are making
> money off of their open
> > source
> > work, and not giving credit OR cash back to the
> developers.
> > 
> > It's kind of sad where a few folks spoil it, but
> both organizations are
> > trying hard to stick to their roots - while
> getting what's due them.
> > 
> > Bob
> > 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]
> On Behalf Of Bamm
> > Visscher
> > Sent: Wednesday, March 02, 2005 2:19 PM
> > To: Demarc Security
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Demarc Certified Open
> Signatures
> > 
> > Shouldn't a reputable company, who is supposedly
> committed to the
> > opensource
> > community ensure that the copyright notices for
> the rules files stay
> > intact?
> > 
> > Bammkkkk
> > 
> > On Wed, 2 Mar 2005 10:09:11 -0800 (PST), Demarc
> Security
> > <snort_ml at ...2629...> wrote:
> > >
> > >
> > > Since our inception in 2001, Demarc has been
> committed to promoting
> > > secure Internet use by providing free versions
> of our products for users
> > at home.
> > > We believe that because we use Open Source
> technology such as Linux
> > > and Snort, that we should give back to the
> security community as a
> > > whole.  We have continued to fulfill this
> commitment, most recently
> > > with the release of our Sentarus HomeAdmin
> Edition, which allows
> > > people to deploy some of our latest security
> technology in their home
> > lab
> > environments at no cost.
> > >
> > > In addition to our Sentarus and PureSecure
> products, our customers
> > > have also benefited from the expertise of our
> Threat Research Team
> > > which has, to date, been tasked with verifying
> rule stream updates and
> > > educating customers on the detailed workings of
> Snort technology. In
> > > light of some upcoming changes, we're now
> expanding our research team
> > > and formally announcing our new "Certified Open
> Signatures" program.
> > > Our Certified Open Signatures program, which
> will be universally
> > > available to the entire community, is founded on
> these two principles:
> > >
> > >     1)  Like the Snort program itself, the
> latest rule signatures should
> > >         always be available for free because
> strong computer and network
> > >         security are in everyone's best
> interests.
> > >
> > >     2)  The best way for a company to serve a
> community project is to
> > >         remain true to the original goals of
> that project and refrain
> > >         from charging for vital components that
> have always been
> > >         community-driven and free.
> > >
> > > We make this announcement now, as we have
> recently received notice
> > > from Sourcefire that, as of next week, early
> access to all future
> > > Snort signatures they create will be based on a
> subscription model.
> > >
> > > The Sourcefire license changes as they were
> presented to us are:
> > >
> > >     - All rule updates will be a minimum of five
> days older than those
> > >       Sourcefire sells to their customers, and
> you will be required to
> > >       register to receive them or to wait for
> the next major Snort
> > >       release.
> > >
> > >    -  To receive the latest rules any sooner,
> you will have to pay
> > >       Sourcefire a rule subscription fee.
> > >
> > > We sincerely respect the efforts of the
> Sourcefire Snort development
> > > group along with the numerous others who created
> the base technology
> > > and rulesets that have made Snort a household
> name in the security
> > > community.  However, one of the greatest
> benefits of using Snort is
> > > the community review process which will now be
> subject to an imposed
> > arbitrary delay.
> > >
> > > At Demarc, our commitment to the security
> community is simple:
> > >
> > >    -  Demarc will maintain
> http://snort.demarc.com/ as a community
> > portal
> > >       for Snort signatures and Snort-based
> technology.  (This site is
> > >       meant to augment and not replace snort.org
> or the snort-sigs
> > >       mailing list.)
> > >
> > >    -  Demarc will produce and revise rules, as
> well as collaborate with
> > >       active groups to bring together the best
> rules from all community
> > >       sources.  User sites such as Bleeding
> Snort have been at the
> > >       forefront of new signature development and
> we view these groups'
> > >       contributions as invaluable.  Our goal is
> to work with these
> > >       groups and to serve as the trusted source
> for certified,
> > >       production level rulesets.
> > >
> > >    -  Demarc's Threat Research Team will
> continue to provide the latest
> > >       cutting-edge and Demarc Certified rules,
> making them immediately
> > >       available for public download and
> contribution.
> > >
> > >    -  Demarc will not charge for the download,
> use, or modification of
> > >       rules hosted on this site.
> > >
> > > Our community portal at http://snort.demarc.com/
> will continually
> > > evolve over the next several weeks to offer more
> features, including
> > > direct user interaction. Our community portal
> will also become the new
> > > home for the SPADE statistical packet anomaly
> detection project and
> > > SnortSnarf, two projects originally managed by
> SiliconDefense and
> > subsequently transferred to Demarc.
> > >
> > > We welcome your support on these projects
> through signature review and
> > > submissions, and, as with all community
> projects, your feedback is
> > > always welcome to help make it better.
> > >
> > > Sincerely,
> > >
> > > Ashlyn Reznik
> > > Demarc Threat Research Team
> > > Email: areznik at ...4451...
> > > http://www.demarc.com/products/
> > >
> > 
> > 
> > --
> > sguil - The Analyst Console for NSM
> > http://sguil.sf.net
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> > 
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest
> 



	
		
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/




More information about the Snort-users mailing list