[Snort-users] Licensing

Martin Roesch roesch at ...1935...
Tue Mar 8 07:57:23 EST 2005


One other point: We run the rules through an extensive QA process to 
verify that they function correctly and that the entire rest of the 
rule set functions properly after integration (i.e. a full regression 
test).  We run on the order of 6.8 million tests every time we QA a new 
rule set to verify that the rules still fire as they should don't fire 
when they shouldn't.  We also pay attention to performance when we 
develop rules so that our gigabit sensors don't turn into 100Mb 
sensors, it's entirely possible to write PCRE rules that take *seconds* 
to run per packet...

Additionally, we have the capability in house to develop rules for 
vulnerabilities that don't have public exploits available in the wild.  
A good example of this was the LSASS.EXE vulnerability that turned into 
the Sasser worm.  We got notification of the vulnerability along with 
the rest of the world on Microsoft Tuesday and quickly reverse 
engineered the vulnerability and generated rules.  We had rules 
available that could pick up almost every variant of Sasser a week 
before the worm hit.  A more recent example is all the updates that 
we've added to netbios.rules for things like ms05-010 and ms05-011.

We have an extensive research and testing capability that we've 
developed over the years here and it's translating directly into high 
quality rules that allow Snort to have accurate detection while 
retaining high performance capabilities in addition to having rules 
that are available in advance of exploits.  That's the value associated 
with the VRT rules today and we intend to bring more to the table as 
the service matures.

      -Marty


On Mar 8, 2005, at 2:54 AM, Lee Clemens wrote:

> I assume, by "the rest", you mean the community rules? My 
> understanding is
> that the VRT rules are the ones produced and looked over by SF and 
> released
> with each major Snort version (Snort point x._._). Getting the newer
> versions basically means you will have rules that are more current with
> ongoing network/internet activities/vulnerable/worms/viruses that are 
> out
> there at that given time.
>
> An example might be if virus.X comes out, new rules would be written 
> and
> released by VRT to detect it (possibly long) before a new major 
> version of
> Snort may be released.
>
> I hope that helps clarify your question...if it doesn't please let me 
> know
> more specifically what your question is. Basically, it gives you 
> advanced
> detection capabilities...
>
> --Lee
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Florin 
> Andrei
> Sent: Tuesday, March 08, 2005 12:15 AM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Licensing
>
> On Mon, 2005-03-07 at 21:53 -0500, Martin Roesch wrote:
>
>> 3) VRT rules developed and QA'd at Sourcefire will be available for
>> commercial redistribution if the commercial entity acquires a license
>> from Sourcefire.
>
> Can someone explain to a guy who used Snort long time ago but didn't
> keep in touch - what are the VRT rules and how are they different from
> the rest? I know they're QA'd by SF, i wonder from a practical
> standpoint - what do they give me, a Snort user, that the other rules
> don't?
>
> -- 
> Florin Andrei
>
> http://florin.myip.org/
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend. - http://www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - 
http://www.snort.org





More information about the Snort-users mailing list