[Snort-users] Demarc Certified Open Signatures

Demarc Security snort_ml at ...2629...
Wed Mar 2 20:16:53 EST 2005


I'm sorry if my last post was unclear:

"The details about who wrote/contributed to each individual rule is available
through our Snort rule description database interface at the community
portal:"

It is an *interface* to the snort rule description database as it stands
today, created by the community, and published for use by the community (
http://www.snort.org/snort-db/help.html ).  Our Certified Open Signatures
program was just announced today and content will be changing as we add more
information to the database, which will, of course, continue to be free to
download in its entirety.  (That's why it's on the "Community Portal" website,
not our commercial website!)

Our intention is simply to create a rules database that is free for all to
access without restrictions or delays. It does not appear to be in the
security community's best interest to request community support with signature
creation, then charge a fee to access the latest rules without a delay.  While
the new Sourcefire license does not limit redistribution for free projects,
there will still be a five-day delay before the rules are made publicly
available for those who don't pay for a subscription.

Five days is a long time to be exposed to a threat without any coverage from
whatever Snort-based security solution you may use.

Ashlyn Reznik
Demarc Threat Research Team
Email: areznik at ...4451...
http://www.demarc.com/products/





--------   Original Message   --------
Date: Wed, March 2, 2005 4:27 pm
From: James Affeld <jamesaffeld at ...131...>
To:   snort-users at lists.sourceforge.net
Subject: [Snort-users] RE: Demarc Certified Open Signatures

> Your Snort rule description database appears to have
> been lifted from the snort website with only minor
> changes, at least for this example.
>
> http://www.snort.org/snort-db/sid.html?sid=1632
> http://snort.demarc.com/signatures/Chat_Session_Rules/1632/
>
> Is it a stretch to call it "our" database?  What is
> the % of original content there? (Meter by snort rule)
>
>>
>> Message: 2
>> Date: Wed, 2 Mar 2005 15:04:04 -0800 (PST)
>> Subject: RE: [Snort-users] Demarc Certified Open
>> Signatures
>> From: "Demarc Security" <snort_ml at ...2629...>
>> To: <snort-users at lists.sourceforge.net>
>>
>
> <redacted>
>>
>> To Bamm's point on copyrights, The details about who
>> wrote/contributed to each
>> individual rule is available through our Snort rule
>> description database
>> interface at the community portal:
>>
>> http://snort.demarc.com/signatures/
>>
>> As for the downloads, we originally had separate
>> contributer lines for each
>> individual rule to give everyone credit who worked
>> on the rules such as all
>> the people who have contributed rules on the
>> snort-sigs mailing list and all
>> the rules that originally came from whitehats,
>> however this made the file
>> bulky and hard to visually parse.  We will however
>> have the script that
>> interfaces with the rules database and creates these
>> downloads reinsert the
>> general catchall line crediting marty, brian, "et
>> al" to make sure that there
>> is no misinterpretation of our intentions.
>>
>> Thanks for pointing that out!
>>
>> Ashlyn Reznik
>> Demarc Threat Research Team
>> Email: areznik at ...4451...
>> http://www.demarc.com/products/
>>
>>
>> --------   Original Message   --------
>> Date: Wed, March 2, 2005 10:18 am
>> From: "Ron Jenkins" <rjenkins at ...12829...>
>> To:   "Demarc Security" <snort_ml at ...2629...>
>> Subject: RE: [Snort-users] Demarc Certified Open
>> Signatures
>>
>> > Will oinkmaster work with the rules downloads?
>> >
>> > Thanks...
>> >
>> > -----Original Message-----
>> > From: snort-users-admin at lists.sourceforge.net
>> > [mailto:snort-users-admin at lists.sourceforge.net]
>> On Behalf Of Demarc
>> > Security
>> > Sent: Wednesday, March 02, 2005 12:09 PM
>> > To: snort-users at lists.sourceforge.net
>> > Subject: [Snort-users] Demarc Certified Open
>> Signatures
>> >
>> >
>> >
>> >
>> > Since our inception in 2001, Demarc has been
>> committed to promoting secure
>> > Internet use by providing free versions of our
>> products for users at home.
>> > We believe that because we use Open Source
>> technology such as Linux and
>> > Snort,
>> > that we should give back to the security community
>> as a whole.  We have
>> > continued to fulfill this commitment, most
>> recently with the release of our
>> > Sentarus HomeAdmin Edition, which allows people to
>> deploy some of our latest
>> > security technology in their home lab environments
>> at no cost.
>> >
>> > In addition to our Sentarus and PureSecure
>> products, our customers have also
>> > benefited from the expertise of our Threat
>> Research Team which has, to date,
>> > been tasked with verifying rule stream updates and
>> educating customers on
>> > the
>> > detailed workings of Snort technology. In light of
>> some upcoming
>> > changes,
>> > we're now expanding our research team and formally
>> announcing our new
>> > "Certified Open Signatures" program.  Our
>> Certified Open Signatures program,
>> > which will be universally available to the entire
>> community, is founded on
>> > these two principles:
>> >
>> >     1)  Like the Snort program itself, the latest
>> rule signatures should
>> >         always be available for free because
>> strong computer and network
>> > security are in everyone's best interests.
>> >
>> >     2)  The best way for a company to serve a
>> community project is to
>> >         remain true to the original goals of that
>> project and refrain from
>> > charging for vital components that have always
>> been
>> >         community-driven and free.
>> >
>> > We make this announcement now, as we have recently
>> received notice from
>> > Sourcefire that, as of next week, early access to
>> all future Snort
>> > signatures
>> > they create will be based on a subscription model.
>> >
>> > The Sourcefire license changes as they were
>> presented to us are:
>> >
>> >     - All rule updates will be a minimum of five
>> days older than those
>> >       Sourcefire sells to their customers, and you
>> will be required to
>> > register to receive them or to wait for the next
>> major Snort release.
>> >
>> >    -  To receive the latest rules any sooner, you
>> will have to pay
>> >       Sourcefire a rule subscription fee.
>> >
>> > We sincerely respect the efforts of the Sourcefire
>> Snort development group
>> > along with the numerous others who created the
>> base technology and rulesets
>> > that have made Snort a household name in the
>> security community.
>> > However, one
>> > of the greatest benefits of using Snort is the
>> community review process
>> > which
>> > will now be subject to an imposed arbitrary delay.
>> >
>> > At Demarc, our commitment to the security
>> community is simple:
>> >
>> >    -  Demarc will maintain
>> http://snort.demarc.com/ as a community
>> > portal
>> >       for Snort signatures and Snort-based
>> technology.  (This site is meant
>> > to augment and not replace snort.org or the
>> snort-sigs mailing list.)
>> >
>> >    -  Demarc will produce and revise rules, as
>> well as collaborate with
>> >       active groups to bring together the best
>> rules from all community
>> > sources.  User sites such as Bleeding Snort have
>> been at the forefront
>> > of new signature development and we view these
>> groups' contributions
>> > as invaluable.  Our goal is to work with these
>> groups and to serve as
>> > the trusted source for certified,
>> >       production level rulesets.
>> >
>> >    -  Demarc's Threat Research Team will continue
>> to provide the latest
>> >       cutting-edge and Demarc Certified rules,
>> making them immediately
>> > available for
ic download and contribution.
>> >
>> >    -  Demarc will not charge for the download,
>> use, or modification of
>> >       rules hosted on this site.
>> >
>> > Our community portal at http://snort.demarc.com/
>> will continually evolve
>> > over
>> > the next several weeks to offer more features,
>> including direct user
>> > interaction. Our community portal will also become
>> the new home for the
>> > SPADE
>> > statistical packet anomaly detection project and
>> SnortSnarf, two
>> > projects
>> > originally managed by SiliconDefense and
>> subsequently transferred to Demarc.
>> >
>> > We welcome your support on these projects through
>> signature review and
>> > submissions, and, as with all community projects,
>> your feedback is always
>> > welcome to help make it better.
>> >
>> > Sincerely,
>> >
>> >
>> > Ashlyn Reznik
>> > Demarc Threat Research Team
>> > Email: areznik at ...4451...
>> > http://www.demarc.com/products/
>> >
>> >
>> >
>> >
>> >
>> >
>>
> -------------------------------------------------------
>> > SF email is sponsored by - The IT Product Guide
>> > Read honest & candid reviews on hundreds of IT
>> Products from real users.
>> > Discover which products truly live up to the hype.
>> Start reading now.
>> >
>>
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or
>> unsubscribe:
>> >
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> >
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> -------- End Original Message --------
>>
>>
>>
>>
>>
>> --__--__--
>>
>> Message: 3
>> Subject: RE: [Snort-users] Snort isn't doing
>> anything..
>> Date: Wed, 2 Mar 2005 17:11:45 -0600
>> From: "Harper, Patrick" <Patrick.Harper at ...11593...>
>> To: "Marc Hering" <mhering at ...13116...>,
>> 	<snort-users at lists.sourceforge.net>
>>
>> Is it a true hub, some hubs are really switches=2E
>> The archives have a=0D=
>> =0Alot about this issue=2E  What make and model?
>> =0D=0A=0D=0A-----Original =
>> Message-----=0D=0AFrom: Marc Hering
>> [mailto:mhering at ...13118...=2Ecom] =0D=0ASent=
>> : Wednesday, March 02, 2005 4:09 PM=0D=0ATo:
>> snort-users at ...7287...=2Esourceforg=
>> e=2Enet=0D=0ASubject: [Snort-users] Snort isn't
>> doing anything=2E=2E=0D=0A=
>> =0D=0AHey Everyone=2E=2E=2E=0D=0A=0D=0AI just setup
>> my first snort box runn=
>> ing on Fedora Core 3=2E  I
>> installed=0D=0Aeverything, including ACID and st=
>> arted snort up=2E=2E=2EIt starts up just
>> fine=0D=0Aand a ps auxww |grep sno=
>> rt shows that the app is running=2E=2E=0D=0A
>> =0D=0A502       3740  0=2E7 14=
>> =2E5 41444 37196 ?       Ss   16:56
>> 0:01=0D=0A/usr/local/bin/snort -c /us=
>> r/local/snort/etc/snort=2Econf -i eth1
>> -g=0D=0Asnortgroup -D -u snortuser=
>> =0D=0A=0D=0A =0D=0AHowever, If I run an nmap scan
>> (doesn't matter what opti=
>> ons) on any host=0D=0Aon my network (Snort can see
>> it, it's on a hub) it do=
>> esn't log anything=2E=0D=0ASo far it's only logged 1
>> alert for a SQL scan=
>> =2E=2E  I have tried updating=0D=0Athe rules to no
>> avail=2E=2E=2E=0D=0A =0D=
>> =0AMy snort=2Econf is the default out of the box
>> setup, the only things i=
>> =0D=0Ahave changed are as  follows=0D=0A
>> =0D=0A***********************Chang=
>> ed items
>>
> in=0D=0Asnort=2Econf********************************=0D=0Avar
>> RULE=
>> _PATH /usr/local/snort/rules=0D=0A =0D=0A
>> =0D=0Aoutput database: log, mysql=
>> ,
>>
> user=3Dthepropersnortuser=0D=0Apassword=3Dsnortuserspassword
>> dbname=3Dthe=
>> snortdatabase host=3Dlocalhost=0D=0A  (Names have
>> been changed to protect t=
>> he innocent  :) )=0D=0A =0D=0A output alert_syslog:
>> LOG_LOCAL3=0D=0A output=
>>  alert_fast: snort=2Elog=0D=0A output alert_full:
>> alert=2Efull=0D=0A*******=
>>
> *****************************************=0D=0A=0D=0A
>> =0D=0A =0D=0AFrom wha=
>> t I can understand=2E=2E=2E=2Ethis SHOULD work, is
>> there something I=0D=0Ah=
>> ave missed????=0D=0A
>>
> =0D=0AThanks=0D=0A=0D=0A=0D=0A=0D=0A------------------=
>> -----------------------=0D=0ADisclaimer:  This
>> electronic message, includin=
>> g any attachments, is=0D=0Aconfidential and intended
>> solely for use of the =
>> intended recipient(s)=2E This=0D=0Amessage may
>> contain information that is =
>> privileged or otherwise protected=0D=0Afrom
>> disclosure by applicable law=2E=
>>  Any unauthorized disclosure,=0D=0Adissemination,
>> use or reproduction is st=
>> rictly prohibited=2E If you have=0D=0Areceived this
>> message in error, pleas=
>> e delete it and notify the
>> sender=0D=0Aimmediately=2E=0D=0A
>>
>>
>> --__--__--
>>
>> Message: 4
>> To: Matt Kettler <mkettler at ...4108...>
>> Cc: snort-users at lists.sourceforge.net,
>> 	snort-users-admin at lists.sourceforge.net
>> Subject: Re: [Snort-users] uricontent questions
>> From: Brad W Rothwell <ROTHBW at ...1871...>
>> Date: Wed, 2 Mar 2005 16:29:22 -0700
>>
>> This is a multipart message in MIME format.
>> --=_alternative 0080FA4187256FB8_=
>> Content-Type: text/plain; charset="US-ASCII"
>>
>> I changed it to a more generic form.
>> alert tcp any any <> any any (msg: "foo found";
>> uricontent:"foo"; nocase;)
>> and it still does not trip an alert.  Ideas?
>>
>> Brad Rothwell
>> INL/ICP Cyber Security
>>
>>
>>
>>
>> Matt Kettler <mkettler at ...4108...>
>> Sent by: snort-users-admin at lists.sourceforge.net
>> 03/02/2005 02:43 PM
>>
>> To
>> Brad W Rothwell <ROTHBW at ...1871...>,
>> snort-users at lists.sourceforge.net
>> cc
>>
>> Subject
>> Re: [Snort-users] uricontent questions
>>
>>
>>
>>
>>
>>
>> At 02:54 PM 3/2/2005, Brad W Rothwell wrote:
>> >All,  I recently installed snort 2.3.0.  My
>> understanding is that I can
>> >use uricontent to search for strings as they appear
>> in the browser
>> address
>> >location bar.  For example, if the address location
>> is
>> ><http://foo.com/>http://foo.com the following rule
>> should alert.
>> >
>> >alert tcp any any <> $HTTP_SERVERS any (msg: "foo
>> found";
>> >uricontent:"foo"; nocase;)
>> >
>> >I have http_inspect set to the following
>> >preprocessor http_inspect: global \
>> >     iis_unicode_map unicode.map 1252
>> >
>> >preprocessor http_inspect_server: server default \
>> >     profile all ports { 80 8080 8180 }
>> oversize_dir_length 500
>> flow_depth 0
>> >
>> >The rule does not alert.  Am I missing something.
>>
>>
>> what is HTTP_SERVERS set to? The above rule will
>> only alert if the server
>> for foo.com is actualy a part of that net range.
>>
>>
>>
>>
>>
>>
> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT
>> Products from real users.
>> Discover which products truly live up to the hype.
>> Start reading now.
>>
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> --=_alternative 0080FA4187256FB8_=
>> Content-Type: text/html; charset="US-ASCII"
>>
>>
>> <br><font size=2 face="sans-serif">I changed it to a
>> more generic form.
>>  </font>
>> <br><font size=2><tt>alert tcp any any <> any
>> any (msg: "foo
>> found"; <br>
>> uricontent:"foo"; nocase;)</tt></font>
>> <br><font size=2><tt>and it still does not trip an
>> alert.  Ideas?</tt></font>
>> <br>
>> <br><font size=2 face="sans-serif">Brad Rothwell<br>
>> INL/ICP Cyber Security<br>
>> </font>
>> <br>
>> <br>
>> <br>
>> <table width=100%>
>> <tr valign=top>
>> <td width=40%><font size=1 face="sans-serif"><b>Matt
>> Kettler <mkettler at ...4108...></b>
>> </font>
>> <br><font size=1 face="sans-serif">Sent by:
>> snort-users-admin at lists.sourceforge.net</font>
>> <p><font size=1 face="sans-serif">03/02/2005 02:43
>> PM</font>
>> <td width=59%>
>> <table width=100%>
>> <tr valign=top>
>> <td>
>> <div align=right><font size=1
>> face="sans-serif">To</font></div>
>> <td><font size=1 face="sans-serif">Brad W Rothwell
>> <ROTHBW at ...1871...>,
>> snort-users at lists.sourceforge.net</font>
>> <tr valign=top>
>> <td>
>> <div align=right><font size=1
>> face="sans-serif">cc</font></div>
>> <td>
>> <tr valign=top>
>> <td>
>> <div align=right><font size=1
>> face="sans-serif">Subject</font></div>
>> <td><font size=1 face="sans-serif">Re: [Snort-users]
>> uricontent questions</font></table>
>> <br>
>> <table>
>> <tr valign=top>
>> <td>
>> <td></table>
>> <br></table>
>> <br>
>> <br>
>> <br><font size=2><tt>At 02:54 PM 3/2/2005, Brad W
>> Rothwell wrote:<br>
>> >All,  I recently installed snort 2.3.0.
>>  My understanding
>> is that I can <br>
>> >use uricontent to search for strings as they
>> appear in the browser
>> address <br>
>> >location bar.  For example, if the address
>> location is <br>
>> ><http://foo.com/>http://foo.com the
>> following rule should alert.<br>
>> ><br>
>> >alert tcp any any <> $HTTP_SERVERS any
>> (msg: "foo found";
>> <br>
>> >uricontent:"foo"; nocase;)<br>
>> ><br>
>> >I have http_inspect set to the following<br>
>> >preprocessor http_inspect: global \<br>
>> >     iis_unicode_map unicode.map
>> 1252<br>
>> ><br>
>> >preprocessor http_inspect_server: server default
>> \<br>
>> >     profile all ports { 80 8080 8180
>> } oversize_dir_length
>> 500 flow_depth 0<br>
>> ><br>
>> >The rule does not alert.  Am I missing
>> something.<br>
>> <br>
>> <br>
>> what is HTTP_SERVERS set to? The above rule will
>> only alert if the server
>> <br>
>> for foo.com is actualy a part of that net range.<br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>>
> -------------------------------------------------------<br>
>> SF email is sponsored by - The IT Product Guide<br>
>> Read honest & candid reviews on hundreds of IT
>> Products from real users.<br>
>> Discover which products truly live up to the hype.
>> Start reading now.<br>
>>
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click<br>
>> _______________________________________________<br>
>> Snort-users mailing list<br>
>> Snort-users at lists.sourceforge.net<br>
>> Go to this URL to change user options or
>> unsubscribe:<br>
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users<br>
>> Snort-users list archive:<br>
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users<br>
>> </tt></font>
>> <br>
>> --=_alternative 0080FA4187256FB8_=--
>>
>>
>> --__--__--
>>
>> Message: 5
>> Date: Thu, 03 Mar 2005 00:30:32 +0100
>> From: Laurent Haond <lhaond at ...13100...>
>> To:  snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] snort-inline and iptables
>> INPUT chain
>>
>> Big Thanks for your help Will !
>>
>> Will Metcalf a écrit :
>>
>> >Nothing is showing up in your alert logs? Is it
>> just ssh or does this
>> >happen with all connections?  Try the following....
>> >
>> >
>> >
>> No alert, no dump.
>> It happen for all TCP connections ( tested http as
>> well)
>> It work for udp/icmp (dns queries / ping works )
>> With advanced  firewall rules, forwarded
>> tcp/udp/icmp/whatever
>> connections were OK.
>> but nothing works from lan to the snort box ...
>> (didn't try from
>> internet to the snort box)
>>
>> >iptables -F INPUT
>> >iptables -F OUPUT
>> >iptables -F FORWARD
>> >iptables -A INPUT -i lo -j ACCEPT
>> >iptables -A INPUT  -j QUEUE
>> >iptables -A FORWARD -j QUEUE
>> >iptables -A OUPUT -j QUEUE
>> >
>> >in your snort.conf set checksum mode to none.
>> >
>> >config checksum_mode: none
>> >
>> >Regards,
>> >
>> >Will
>> >
>> >
>>
>> Adding "config checksum_mode: none" did the job, now
>> it works. (BTW with
>> or without the iptables -A INPUT -i lo -j ACCEPT
>> rule )
>> I relauched my complete set of firewall rules/
>> internet connections and
>> it's still working ;-)
>> ( I've some alert about lo / 127.0.01 but they will
>> be easy to avoid
>> bypassing the queue..)
>>
>> "Googling" on this config directive, i think i could
>> have found it by my
>> self (there is some threads on this list about
>> ssh/tcp issue and this
>> directive),
>> so i'm sorry if  i've mafe you lose your time...
>>
>> Let me, please, ask you some more questions :
>> why are forwarded checksum ok, but some ssh replies
>> corrupted ?
>> Is this an issue from kernel / iptables / snort ?
>> (i'm using 2.4.27 kernel / iptables 1.2.11 ... going
>> to upgrade to 1.3.x
>> soon)
>>
>> Thanks
>>
>> Regards
>>
>> Laurent
>>
>> ps:sorry for my bad english...
>>
>>
>> --__--__--
>>
>> Message: 6
>> Reply-To: <spamtrap at ...9077...>
>> From: "Michael Steele" <michaels at ...9077...>
>> To: "'Snort Users Postings'"
>> <snort-users at lists.sourceforge.net>
>> Subject: RE: [Snort-users] Demarc Certified Open
>> Signatures
>> Date: Wed, 2 Mar 2005 16:05:07 -0800
>>
>> Remember this one thing; If not for the dedication
>> of pre-Sourcefire
>> contributions from others, Snort would not be where
>> it is today, and this
>> goes for Sourcefire.
>>
>> This is only the beginning. Does it seem
>> inconceivable that in the future
>> Snort builds might be treated the same as the rules
>> are. If it's OK to do
>> this with the rules, then where does it stop...
>>
>> Kindest regards,
>> Michael...
>>
>> WINSNORT.com Management Team Member
>> --
>> Pick up your FREE Windows or UNIX Snort installation
>> guides
>> mailto:support at ...9077...
>> Website: http://www.winsnort.com
>> Snort: Open Source Network IDS -
>> http://www.snort.org
>>
>>
>> > -----Original Message-----
>> > From: snort-users-admin at lists.sourceforge.net
>> [mailto:snort-users-
>> > admin at lists.sourceforge.net] On Behalf Of Bob
>> Konigsberg
>> > Sent: Wednesday, March 02, 2005 2:31 PM
>> > To: 'Bamm Visscher'; 'Demarc Security'
>> > Cc: snort-users at lists.sourceforge.net
>> > Subject: RE: [Snort-users] Demarc Certified Open
>> Signatures
>> >
>> > I don't think that's the key point here.  This has
>> already happened with
>> > Nessus and Snort - that is, people are making
>> money off of their open
>> > source
>> > work, and not giving credit OR cash back to the
>> developers.
>> >
>> > It's kind of sad where a few folks spoil it, but
>> both organizations are
>> > trying hard to stick to their roots - while
>> getting what's due them.
>> >
>> > Bob
>> >
>> > -----Original Message-----
>> > From: snort-users-admin at lists.sourceforge.net
>> > [mailto:snort-users-admin at lists.sourceforge.net]
>> On Behalf Of Bamm
>> > Visscher
>> > Sent: Wednesday, March 02, 2005 2:19 PM
>> > To: Demarc Security
>> > Cc: snort-users at lists.sourceforge.net
>> > Subject: Re: [Snort-users] Demarc Certified Open
>> Signatures
>> >
>> > Shouldn't a reputable company, who is supposedly
>> committed to the
>> > opensource
>> > community ensure that the copyright notices for
>> the rules files stay
>> > intact?
>> >
>> > Bammkkkk
>> >
>> > On Wed, 2 Mar 2005 10:09:11 -0800 (PST), Demarc
>> Security
>> > <snort_ml at ...2629...> wrote:
>> > >
>> > >
>> > > Since our inception in 2001, Demarc has been
>> committed to promoting
>> > > secure Internet use by providing free versions
>> of our products for users
>> > at home.
>> > > We believe that because we use Open Source
>> technology such as Linux
>> > > and Snort, that we should give back to the
>> security community as a
>> > > whole.  We have continued to fulfill this
>> commitment, most recently
>> > > with the release of our Sentarus HomeAdmin
>> Edition, which allows
>> > > people to deploy some of our latest security
>> technology in their home
>> > lab
>> > environments at no cost.
>> > >
>> > > In addition to our Sentarus and PureSecure
>> products, our customers
>> > > have also benefited from the expertise of our
>> Threat Research Team
>> > > which has, to date, been tasked with verifying
>> rule stream updates and
>> > > educating customers on the detailed workings of
>> Snort technology. In
>> > > light of some upcoming changes, we're now
>> expanding our research team
>> > > and formally announcing our new "Certified Open
>> Signatures" program.
>> > > Our Certified Open Signatures program, which
>> will be universally
>> > > available to the entire community, is founded on
>> these two principles:
>> > >
>> > >     1)  Like the Snort program itself, the
>> latest rule signatures should
>> > >         always be available for free because
>> strong computer and network
>> > >         security are in everyone's best
>> interests.
>> > >
>> > >     2)  The best way for a company to serve a
>> community project is to
>> > >         remain true to the original goals of
>> that project and refrain
>> > >         from charging for vital components that
>> have always been
>> > >         community-driven and free.
>> > >
>> > > We make this announcement now, as we have
>> recently received notice
>> > > from Sourcefire that, as of next week, early
>> access to all future
>> > > Snort signatures they create will be based on a
>> subscription model.
>> > >
>> > > The Sourcefire license changes as they were
>> presented to us are:
>> > >
>> > >     - All rule updates will be a minimum of five
>> days older than those
>> > >       Sourcefire sells to their customers, and
>> you will be required to
>> > >       register to receive them or to wait for
>> the next major Snort
>> > >       release.
>> > >
>> > >    -  To receive the latest rules any sooner,
>> you will have to pay
>> > >       Sourcefire a rule subscription fee.
>> > >
>> > > We sincerely respect the efforts of the
>> Sourcefire Snort development
>> > > group along with the numerous others who created
>> the base technology
>> > > and rulesets that have made Snort a household
>> name in the security
>> > > community.  However, one of the greatest
>> benefits of using Snort is
>> > > the community review process which will now be
>> subject to an imposed
>> > arbitrary delay.
>> > >
>> > > At Demarc, our commitment to the security
>> community is simple:
>> > >
>> > >    -  Demarc will maintain
>> http://snort.demarc.com/ as a community
>> > portal
>> > >       for Snort signatures and Snort-based
>> technology.  (This site is
>> > >       meant to augment and not replace snort.org
>> or the snort-sigs
>> > >       mailing list.)
>> > >
>> > >    -  Demarc will produce and revise rules, as
>> well as collaborate with
>> > >       active groups to bring together the best
>> rules from all community
>> > >       sources.  User sites such as Bleeding
>> Snort have been at the
>> > >       forefront of new signature development and
>> we view these groups'
>> > >       contributions as invaluable.  Our goal is
>> to work with these
>> > >       groups and to serve as the trusted source
>> for certified,
>> > >       production level rulesets.
>> > >
>> > >    -  Demarc's Threat Research Team will
>> continue to provide the latest
>> > >       cutting-edge and Demarc Certified rules,
>> making them immediately
>> > >       available for public download and
>> contribution.
>> > >
>> > >    -  Demarc will not charge for the download,
>> use, or modification of
>> > >       rules hosted on this site.
>> > >
>> > > Our community portal at http://snort.demarc.com/
>> will continually
>> > > evolve over the next several weeks to offer more
>> features, including
>> > > direct user interaction. Our community portal
>> will also become the new
>> > > home for the SPADE statistical packet anomaly
>> detection project and
>> > > SnortSnarf, two projects originally managed by
>> SiliconDefense and
>> > subsequently transferred to Demarc.
>> > >
>> > > We welcome your support on these projects
>> through signature review and
>> > > submissions, and, as with all community
>> projects, your feedback is
>> > > always welcome to help make it better.
>> > >
>> > > Sincerely,
>> > >
>> > > Ashlyn Reznik
>> > > Demarc Threat Research Team
>> > > Email: areznik at ...4451...
>> > > http://www.demarc.com/products/
>> > >
>> >
>> >
>> > --
>> > sguil - The Analyst Console for NSM
>> > http://sguil.sf.net
>> >
>> >
>> >
>>
> -------------------------------------------------------
>> > SF email is sponsored by - The IT Product Guide
>> > Read honest & candid reviews on hundreds of IT
>> Products from real users.
>> > Discover which products truly live up to the hype.
>> Start reading now.
>> >
>>
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or
>> unsubscribe:
>> >
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> >
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> >
>> >
>> >
>> >
>> >
>>
> -------------------------------------------------------
>> > SF email is sponsored by - The IT Product Guide
>> > Read honest & candid reviews on hundreds of IT
>> Products from real users.
>> > Discover which products truly live up to the hype.
>> Start reading now.
>> >
>>
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or
>> unsubscribe:
>> >
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> >
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>>
>>
>>
>>
>> --__--__--
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>
>>
>> End of Snort-users Digest
>>
>
>
>
>
>
> __________________________________
> Celebrate Yahoo!'s 10th Birthday!
> Yahoo! Netrospective: 100 Moments of the Web
> http://birthday.yahoo.com/netrospective/
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------- End Original Message --------









More information about the Snort-users mailing list