[Snort-users] Demarc Certified Open Signatures

Eric Hines eric.hines at ...8860...
Thu Mar 3 13:12:27 EST 2005


Hi Joel,
 
Funny introduction :) No problem on sticking together as GCIA's... :) We all
have our own opinions on the matter despite what certifications we share.
Believe it or not, I actually agree with you. Perhaps I should have made
clear in my email that I understand the business decision behind what they
are doing. Hell, I really don't care that they are charging for early access
to those signatures, if companies are doing what they say they are doing,
than I would respond the same way. We don't make money here off Snort
signatures nor do we make money off Snort. We do have a line of Snort sensor
appliances but that's merely for customers who don't want to install Snort
themselves. We aren't an IDS company. Snort is one of MANY solutions we
support as a SIM solution.
 
Look, this will be my last post on the matter because frankly I really don't
see what the big "hoop - lah" is about the whole thing. If Sourcefire were
to take all the signatures and begin charging for them with no subscription
service at all, than that would be a different story. But what we're talking
about here is a 5 day waiting period that any of us have the capability
within that period of time, to make the same Snort signatures if we don't
want to wait on Sourcefire. That's the beauty behind open source and the
great thing about having an open signature format that we all understand how
to write. Example, if a new exploit or worm comes out that we need a
signature for, you can either pay to subscribe to the VRT Feed or make the
signature yourself. Maybe Brian Caswell flames you because the signature
sucks or its better than Sourcefire's but either way, you've got a signature
and you have the option to get it for free. 
 
I suppose I'm hoping this is the extent of Sourcefire's decision regarding
the commercialization of anything Snort. And if Martin and the rest of
Sourcefire says it is, than I suppose we have to take them at their word. 

I'm just out to make sure that Applied Watch conforms to any changes made to
what's allowed in the distribution of rules made prior to the VRT
subscription service. 
 
My last comments on the matter.
 

Best Regards,


Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
1134 N. Main St.
Algonquin, IL 60102
Tel: (877) 262-7593 x327
Fax: (877) 262-7593
Web: http://www.appliedwatch.com
  

 

________________________________

From: Esler, Joel CNTR/Sytex [mailto:joel.esler at ...9426...] 
Sent: Thursday, March 03, 2005 12:24 PM
To: Eric Hines
Cc: spamtrap at ...9077...; 'Snort Users Postings'
Subject: RE: [Snort-users] Demarc Certified Open Signatures


Eric, for as much as us GCIA's have to stick together, I have to disagree
with you.  

While I am an open source advocate, I have to agree with Sourcefire's
business model.  It only makes sense from a business point of view...

People (Other companies) are selling Sourcefire's work as the their own.
This is an effort to preserve that for 5 days.  It's only 5 days!  You won't
know the difference anyway!

J

On Thu, 2005-03-03 at 09:48 -0600, Eric Hines wrote: 

	Michael, I Agree. This is only the beginning. Three or so years ago
a good
	friend, Jed Pickel posted to this list when Martin announced the
creation of
	Sourcefire. He called it and said stuff like this would happen and
was
	flamed for it. I think he deserves accolades for standing up and
saying
	something because he ended up being right after all.
	
	This is only the beginning, indeed. I think its naïve to think that
Roesche
	has any more control over there at Sourcefire as to what happens
with the
	Snort project, which is under the control of copyrights and
trademarks by
	Sourcefire, Inc. He has brought in so much VC money that I'd be
surprised if
	he is a majority shareholder anymore at that company -- its near
impossible.
	The fate of the Snort project is in the hands and control of the
Board of
	Directors at Sourcefire and it's VC's -- not snort.org. Hell, its
even
	hosted by Sourcefire.
	
	[snort.org]
	
	      NS1.SOURCEFIRE.COM      12.4.213.2   	 
	   	NS2.SOURCEFIRE.COM 	199.107.65.180
	
	
	IMHO this is a very poor move by Sourcefire. I've spoken to a lot of
	organizations about this over the past week (as we received a letter
from
	Sourcefire announcing this way before this announcement) who laughed
at the
	very thought of paying for Signatures simply so they can get it when
they
	are immediately released. Wait 5 days and you get those signatures.
If they
	actually get ANY organizations who are willing to pay for this
subscription,
	the number of companies willing to pay for it will be far exceeded
by the
	number of people they've upset. Do the math Sourcefire.
	
	They've done nothing except give themselves a black eye.
	
	My look in to the future: Projects like the Bleeding Edge will pop
up all
	over the place offering a safe haven for Snort rule creation and
	distribution. The beautiful thing about Snort signatures is anyone
can make
	them. When a new 0day exploit or worm comes out, their will be a
race
	between all these projects as to who can get the best signature out
and who
	can do it the fastest. If you get enough people together, more rules
can be
	developed and can be developed much faster than Sourcefire.
	
	I also see other open source IDS projects starting, IDS' like
Firestorm,
	Prelude, etc. that use the Snort signature syntax we're already all
familiar
	with. 
	
	
	
	Best Regards,
	
	
	Eric Hines, GCIA, CISSP
	CEO, President, Chairman
	Applied Watch Technologies, LLC
	1134 N. Main St.
	Algonquin, IL 60102
	Tel: (877) 262-7593 x327
	Fax: (877) 262-7593
	Web: http://www.appliedwatch.com
	 
	-----Original Message-----
	From: snort-users-admin at lists.sourceforge.net
	[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
Michael Steele
	Sent: Wednesday, March 02, 2005 6:05 PM
	To: 'Snort Users Postings'
	Subject: RE: [Snort-users] Demarc Certified Open Signatures
	
	Remember this one thing; If not for the dedication of pre-Sourcefire
	contributions from others, Snort would not be where it is today, and
this
	goes for Sourcefire.
	
	This is only the beginning. Does it seem inconceivable that in the
future
	Snort builds might be treated the same as the rules are. If it's OK
to do
	this with the rules, then where does it stop...
	
	Kindest regards,
	Michael...
	
	WINSNORT.com Management Team Member
	-- 
	Pick up your FREE Windows or UNIX Snort installation guides       
	mailto:support at ...9077...
	Website: http://www.winsnort.com
	Snort: Open Source Network IDS - http://www.snort.org
	
	
	> -----Original Message-----
	> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-

	> admin at lists.sourceforge.net] On Behalf Of Bob Konigsberg
	> Sent: Wednesday, March 02, 2005 2:31 PM
	> To: 'Bamm Visscher'; 'Demarc Security'
	> Cc: snort-users at lists.sourceforge.net
	> Subject: RE: [Snort-users] Demarc Certified Open Signatures
	> 
	> I don't think that's the key point here.  This has already
happened 
	> with Nessus and Snort - that is, people are making money off of
their 
	> open source work, and not giving credit OR cash back to the 
	> developers.
	> 
	> It's kind of sad where a few folks spoil it, but both
organizations 
	> are trying hard to stick to their roots - while getting what's due
them.
	> 
	> Bob
	> 
	> -----Original Message-----
	> From: snort-users-admin at lists.sourceforge.net
	> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Bamm

	> Visscher
	> Sent: Wednesday, March 02, 2005 2:19 PM
	> To: Demarc Security
	> Cc: snort-users at lists.sourceforge.net
	> Subject: Re: [Snort-users] Demarc Certified Open Signatures
	> 
	> Shouldn't a reputable company, who is supposedly committed to the 
	> opensource community ensure that the copyright notices for the
rules 
	> files stay intact?
	> 
	> Bammkkkk
	> 
	> On Wed, 2 Mar 2005 10:09:11 -0800 (PST), Demarc Security 
	> <snort_ml at ...2629...> wrote:
	> >
	> >
	> > Since our inception in 2001, Demarc has been committed to
promoting 
	> > secure Internet use by providing free versions of our products
for 
	> > users
	> at home.
	> > We believe that because we use Open Source technology such as
Linux 
	> > and Snort, that we should give back to the security community as
a 
	> > whole.  We have continued to fulfill this commitment, most
recently 
	> > with the release of our Sentarus HomeAdmin Edition, which allows

	> > people to deploy some of our latest security technology in their

	> > home
	> lab
	> environments at no cost.
	> >
	> > In addition to our Sentarus and PureSecure products, our
customers 
	> > have also benefited from the expertise of our Threat Research
Team 
	> > which has, to date, been tasked with verifying rule stream
updates 
	> > and educating customers on the detailed workings of Snort 
	> > technology. In light of some upcoming changes, we're now
expanding 
	> > our research team and formally announcing our new "Certified
Open
	Signatures" program.
	> > Our Certified Open Signatures program, which will be universally

	> > available to the entire community, is founded on these two
principles:
	> >
	> >     1)  Like the Snort program itself, the latest rule
signatures should
	> >         always be available for free because strong computer and
network
	> >         security are in everyone's best interests.
	> >
	> >     2)  The best way for a company to serve a community project
is to
	> >         remain true to the original goals of that project and
refrain
	> >         from charging for vital components that have always been
	> >         community-driven and free.
	> >
	> > We make this announcement now, as we have recently received
notice 
	> > from Sourcefire that, as of next week, early access to all
future 
	> > Snort signatures they create will be based on a subscription
model.
	> >
	> > The Sourcefire license changes as they were presented to us are:
	> >
	> >     - All rule updates will be a minimum of five days older than
those
	> >       Sourcefire sells to their customers, and you will be
required to
	> >       register to receive them or to wait for the next major
Snort
	> >       release.
	> >
	> >    -  To receive the latest rules any sooner, you will have to
pay
	> >       Sourcefire a rule subscription fee.
	> >
	> > We sincerely respect the efforts of the Sourcefire Snort
development 
	> > group along with the numerous others who created the base
technology 
	> > and rulesets that have made Snort a household name in the
security 
	> > community.  However, one of the greatest benefits of using Snort
is 
	> > the community review process which will now be subject to an
imposed
	> arbitrary delay.
	> >
	> > At Demarc, our commitment to the security community is simple:
	> >
	> >    -  Demarc will maintain http://snort.demarc.com/ as a
community
	> portal
	> >       for Snort signatures and Snort-based technology.  (This
site is
	> >       meant to augment and not replace snort.org or the
snort-sigs
	> >       mailing list.)
	> >
	> >    -  Demarc will produce and revise rules, as well as
collaborate with
	> >       active groups to bring together the best rules from all
community
	> >       sources.  User sites such as Bleeding Snort have been at
the
	> >       forefront of new signature development and we view these
groups'
	> >       contributions as invaluable.  Our goal is to work with
these
	> >       groups and to serve as the trusted source for certified,
	> >       production level rulesets.
	> >
	> >    -  Demarc's Threat Research Team will continue to provide the
latest
	> >       cutting-edge and Demarc Certified rules, making them
immediately
	> >       available for public download and contribution.
	> >
	> >    -  Demarc will not charge for the download, use, or
modification of
	> >       rules hosted on this site.
	> >
	> > Our community portal at http://snort.demarc.com/ will
continually 
	> > evolve over the next several weeks to offer more features,
including 
	> > direct user interaction. Our community portal will also become
the 
	> > new home for the SPADE statistical packet anomaly detection
project 
	> > and SnortSnarf, two projects originally managed by
SiliconDefense 
	> > and
	> subsequently transferred to Demarc.
	> >
	> > We welcome your support on these projects through signature
review 
	> > and submissions, and, as with all community projects, your
feedback 
	> > is always welcome to help make it better.
	> >
	> > Sincerely,
	> >
	> > Ashlyn Reznik
	> > Demarc Threat Research Team
	> > Email: areznik at ...4451...
	> > http://www.demarc.com/products/
	> >
	> 
	> 
	> --
	> sguil - The Analyst Console for NSM
	> http://sguil.sf.net
	> 
	> 
	> -------------------------------------------------------
	> SF email is sponsored by - The IT Product Guide Read honest &
candid 
	> reviews on hundreds of IT Products from real users.
	> Discover which products truly live up to the hype. Start reading
now.
	> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
	> _______________________________________________
	> Snort-users mailing list
	> Snort-users at lists.sourceforge.net
	> Go to this URL to change user options or unsubscribe:
	> https://lists.sourceforge.net/lists/listinfo/snort-users
	> Snort-users list archive:
	> http://www.geocrawler.com/redir-sf.php3?list=snort-users
	> 
	> 
	> 
	> 
	> 
	> -------------------------------------------------------
	> SF email is sponsored by - The IT Product Guide Read honest &
candid 
	> reviews on hundreds of IT Products from real users.
	> Discover which products truly live up to the hype. Start reading
now.
	> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
	> _______________________________________________
	> Snort-users mailing list
	> Snort-users at lists.sourceforge.net
	> Go to this URL to change user options or unsubscribe:
	> https://lists.sourceforge.net/lists/listinfo/snort-users
	> Snort-users list archive:
	> http://www.geocrawler.com/redir-sf.php3?list=snort-users
	
	
	
	
	
	
	
	-------------------------------------------------------
	SF email is sponsored by - The IT Product Guide Read honest & candid
reviews
	on hundreds of IT Products from real users.
	Discover which products truly live up to the hype. Start reading
now.
	http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
	Snort-users list archive:
	http://www.geocrawler.com/redir-sf.php3?list=snort-users
	
	
	
	-------------------------------------------------------
	SF email is sponsored by - The IT Product Guide
	Read honest & candid reviews on hundreds of IT Products from real
users.
	Discover which products truly live up to the hype. Start reading
now.
	http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
	Snort-users list archive:
	http://www.geocrawler.com/redir-sf.php3?list=snort-users
	

-- 
Esler, Joel CNTR/Sytex <joel.esler at ...9426...> 	





More information about the Snort-users mailing list