[Snort-users] help

Jan Andreasson Jan at ...13148...
Tue Mar 8 10:37:12 EST 2005


 

-----Ursprungligt meddelande-----
Från: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...2902...ists.sourceforge.net] För snort-users-request at lists.sourceforge.net
Skickat: den 8 mars 2005 19:33
Till: snort-users at lists.sourceforge.net
Ämne: Snort-users digest, Vol 1 #4990 - 13 msgs

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Licensing (Matt Kettler)
   2. Re: Snort Center 2.x (Alex Kirk)
   3. Re: tcp flood (Matt Kettler)
   4. Now that I have my oink code (Paul Schmehl)
   5. RE: Now that I have my oink code (Joshua Berry)
   6. Snort rule lookup from ACID broken?? (Marc Hering)
   7. Re: Snort rule lookup from ACID broken?? (=?ISO-8859-1?Q?Geffrey_Vel=E1squez?=)
   8. Re: Now that I have my oink code (Paul Schmehl)
   9. RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? - Email found in subject (Marc Hering)
  10. RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken
       ?? - Email found in subject (SRH-Lists)
  11. My Experience with the new Sourcefire VRT rules.. (Marc Hering)
  12. RE: My Experience with the new Sourcefire VRT rules.. (Scott Morris)

--__--__--

Message: 1
Date: Tue, 08 Mar 2005 11:13:13 -0500
To: "Peter J Manis" <pmanis at ...5068...>,
   "Rowland, Krisa W ERDC-ITL-MS Contractor" <Krisa.W.Rowland at ...3768...>,
   <snort-users at lists.sourceforge.net>
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] Licensing

At 09:11 PM 3/7/2005, Peter J Manis wrote:
>I think you misinterpreted Marty's email.  Sourcefire doesnt allow you 
>to bundle VRT rules in a commercial product no matter if you have a 
>subscription or not, at least thats what the license says.

I didn't say a subscription would allow commercial redistribution. I said you had to pay in order to do commercial redistribution. i.e.: you need to obtain a commercial license from SF.

Basically there are two situations that involve you having to pay money of some amount to Sourcefire for the VRT rules. 1) if you want them fast you need a subscription 2) if you want to bundle them you need a commercial distribution license.

Obviously 1) much cheaper, and 2) is subject to negotiations.





--__--__--

Message: 2
Date: Tue, 08 Mar 2005 11:32:08 -0500
From: Alex Kirk <alex.kirk at ...1935...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Center 2.x

Jason,

I went out and got the latest copy of Snortcenter from Sourceforge (snortcenter-release.tar.gz from 2004-12-29, to be precise) when I saw this, so I could help you get it fixed. You'll at least need to update $snortrules_url in config.php to add an Oinkcode and reflect the new location, as discussed on this list by those using Oinkmaster. Just for clarification, once you register -- which is free and easy -- you can generate an Oinkcode for each IP that you need to download rules from with a very simple form in the User Preferences section of the new site.

In cases where forced downloading is not enabled (i.e. there is no "force" parameter in the URI for db_pars.php, and thus if(!$force) succeeds on line 32 of that file), you'll also need to have an updated
MD5 download path. At the moment, we don't have a
snortrules-snapshot-2.3.tar.gz.md5 file, but that should be fixed shortly.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> Hello,
>
> For all of you that are using Snortcenter still the new snort website 
> has totally broken all rule import functionality.  I'm looking at the 
> different rule sets and what the requirements are for getting them and 
> what information needs to be passed to the website.  But at this time 
> I'm not sure what needs to be done to get it working again.
>
> Jason Alexander
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide Read honest & candid 
> reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

Message: 3
Date: Tue, 08 Mar 2005 11:34:16 -0500
To: SN ORT <snort_on_acid at ...131...>, snort-users at lists.sourceforge.net
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] tcp flood

At 09:51 AM 3/8/2005, SN ORT wrote:
>Yeah, any IoS Cisco that is, including the new IoS for PiX. Thanks.

Of course, the new OS for the PiX isn't released yet, so it doesn't do the OP any good. They have a public deta sheet so we can plan for it, but that's all that's in public release. (PiX OS 7.0 is in beta, but that's not available to normal users with support contracts, you need a separate level of access and an NDA for the beta)

also,minor point: technically it's PiX OS, not IOS. I only point it out because it's one common way to distinguish the product lines.. "It's an IOS based firewall" explicitly means it's not a PiX, but a router with the FWFS added on.




--__--__--

Message: 4
Date: Tue, 08 Mar 2005 11:39:41 -0600
From: Paul Schmehl <pauls at ...6838...>
Reply-To: Paul Schmehl <pauls at ...6838...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Now that I have my oink code

When will it work?  Right now it doesn't.  How much time lag is there before the oink code allows me to d/l the ruleset?

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


--__--__--

Message: 5
Subject: RE: [Snort-users] Now that I have my oink code
Date: Tue, 8 Mar 2005 11:42:02 -0600
From: "Joshua Berry" <jberry at ...11848...>
To: "Paul Schmehl" <pauls at ...6838...>,
	<snort-users at lists.sourceforge.net>

I was able to download immediately.  I just had to figure out what IP my internal system was NATting to outbound.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul Schmehl
Sent: Tuesday, March 08, 2005 11:40 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Now that I have my oink code

When will it work?  Right now it doesn't.  How much time lag is there=20 before the oink code allows me to d/l the ruleset?

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users


--__--__--

Message: 6
Date: Tue, 8 Mar 2005 12:45:46 -0500
From: "Marc Hering" <mhering at ...13116...>
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort rule lookup from ACID broken??

This is a multi-part message in MIME format.

------_=_NextPart_001_01C52406.A8584727
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

Hey Guys,
Is it just me, or since they changed the website, If I get an alert in ACID, and I click on "Snort" which usually takes me to a description of the rule that was violated..Now I get "Oink page not found"  Is this just me or is this universal????
=20
=20
<M>

------_=_NextPart_001_01C52406.A8584727
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D641204417-08032005><FONT face=3DArial size=3D2>Hey=20 Guys,</FONT></SPAN></DIV> <DIV><SPAN class=3D641204417-08032005><FONT face=3DArial size=3D2>Is it = just me, or=20 since they changed the website, If I get an alert in ACID, and I click = on=20 "Snort" which usually takes me to a description of the rule that was=20 violated..Now I get "Oink page not found"  Is this just me or is = this=20 universal????</FONT></SPAN></DIV> <DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D641204417-08032005><FONT face=3DArial=20 size=3D2><M></FONT></SPAN></DIV></BODY></HTML>

------_=_NextPart_001_01C52406.A8584727--


--__--__--

Message: 7
Date: Tue, 08 Mar 2005 12:49:23 -0500
From: =?ISO-8859-1?Q?Geffrey_Vel=E1squez?= <gvelasquez at ...12923...>
To: Marc Hering <mhering at ...13116...>
CC:  snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort rule lookup from ACID broken??

Yes! there is no more access using the url:

http://www.snort.org/snort-db/sid.html?sid=NUMBER



Marc Hering escribió:

> Hey Guys,
> Is it just me, or since they changed the website, If I get an alert in 
> ACID, and I click on "Snort" which usually takes me to a description 
> of the rule that was violated..Now I get "Oink page not found"  Is 
> this just me or is this universal????
>  
>  
> <M>





--__--__--

Message: 8
Date: Tue, 08 Mar 2005 11:55:07 -0600
From: Paul Schmehl <pauls at ...6838...>
Reply-To: Paul Schmehl <pauls at ...6838...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Now that I have my oink code

--On Tuesday, March 08, 2005 11:39:41 AM -0600 Paul Schmehl <pauls at ...13150.....> wrote:

> When will it work?  Right now it doesn't.  How much time lag is there 
> before the oink code allows me to d/l the ruleset?
>
Never mind......

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


--__--__--

Message: 9
Subject: RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? - Email found in subject
Date: Tue, 8 Mar 2005 12:54:34 -0500
From: "Marc Hering" <mhering at ...13116...>
To: =?iso-8859-1?Q?Geffrey_Vel=E1squez?= <gvelasquez at ...12923...>
Cc: <snort-users at lists.sourceforge.net>

Well that sucks............Does anyone know if there is another = Interface like that one anymore???? It saves me a lot of work!!!



Thanks!=20

-----Original Message-----
From: Geffrey Vel=E1squez [mailto:gvelasquez at ...12923...]=20
Sent: Tuesday, March 08, 2005 12:49 PM
To: Marc Hering
Cc: snort-users at lists.sourceforge.net
Subject: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken?? =
- Email found in subject

Yes! there is no more access using the url:

http://www.snort.org/snort-db/sid.html?sid=3DNUMBER



Marc Hering escribi=F3:

> Hey Guys,
> Is it just me, or since they changed the website, If I get an alert in 
> =

> ACID, and I click on "Snort" which usually takes me to a 
> description=20 of the rule that was violated..Now I get "Oink page not 
> found"  Is=20 this just me or is this universal????
> =20
> =20
> <M>





--__--__--

Message: 10
From: SRH-Lists <giermo at ...8381...>
To: 'Marc Hering' <mhering at ...13116...>, =?iso-8859-1?Q?Geffrey_Vel=E1squ?=
	=?iso-8859-1?Q?ez?= <gvelasquez at ...12923...>
Cc: snort-users at lists.sourceforge.net
Subject: RE: [SPAM] - Re: [Snort-users] Snort rule lookup from ACID broken
	?? - Email found in subject
Date: Tue, 8 Mar 2005 11:59:33 -0600 


> Yes! there is no more access using the url:
>=20
> http://www.snort.org/snort-db/sid.html?sid=3DNUMBER
>=20
>=20
>=20
> Marc Hering escribi=F3:
>=20
> > Hey Guys,
> > Is it just me, or since they changed the website, If I get=20
> an alert in=20
> > ACID, and I click on "Snort" which usually takes me to a=20
> description=20
> > of the rule that was violated..Now I get "Oink page not found"  
> > Is=20 this just me or is this universal????
> > =20
> > =20
> > <M>

It is in the works:
http://www.snort.org/rules/search.html

<quote>
We are currently developing an enhanced rule search engine, which will be available shortly. We apologize for any inconvenience this may = cause.
</quote>

-steve



--__--__--

Message: 11
Date: Tue, 8 Mar 2005 13:19:31 -0500
From: "Marc Hering" <mhering at ...13116...>
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] My Experience with the new Sourcefire VRT rules..

This is a multi-part message in MIME format.

------_=_NextPart_001_01C5240B.5F3CA0AD
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

=20
Well,=20
I know there has been a lot of debate over the new VRT Rules and licensing methods from Sourcefire.  I was staying on the sidelines due to my relative newness to Snort in general, but now that I have had some interaction with the new website I wanted to let everyone know my experiences..  This is just what happened to me, and I am not trying to start any flame wars...so if you agree with me then great, if you don't agree with me then great!
=20
Let me start out by saying that I personally don't have a problem with what SF is doing,  After all, if I didn't want to pay I can still get the rules 5 days later for free or write my own.  but since I need the rules pretty fast (and I am not the best at writing rules..) I was ok
with paying the subscription fee.   So I mosey on over to snort.org and
try to sign up. =20
=20
Well, all I can say is that if you are like me and don't mind paying the subscription, then GOOD LUCK!!  Finding the pricing is damn near impossible, and when you follow the link to even sign up, it tries to take you to a secure site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it doesn't protect snort.ort  it is for sourcefire.com) then when I get to the signup page, firefox reports that this site is not secure at all (even though it says https, there is no encryption
going on) Yean I'm gonna transmit info plaintext..NOT!   And still no
mention of how much it costs until after you create an account.....  Oh and for all you ACID users out there, I just found out that you can't do a rule lookup anymore even if you are a subscriber ( In their defense, they DO say the rule lookup function is forthcoming and I am sure some clever person will write a patch eventually) =20 I completely understand why Sourcefire is changing the way the rules are distributed, and I support them in it after all, they do deserve to get paid for hard work, however if they are going to make a change like this that affects the whole snort community, then I would request that they at least make sure that everything works before they put it live!
Thanks!
=20
</rant mode>

------_=_NextPart_001_01C5240B.5F3CA0AD
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,=20 </FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I know = there has=20 been a lot of debate over the new VRT Rules and licensing methods from=20 Sourcefire.  I was staying on the sidelines due to my relative = newness to=20 Snort in general, but now that I have had some interaction with the new = website=20 I wanted to let everyone know my experiences..  This is just what = happened=20 to me, and I am not trying to start any flame wars...so if you agree = with me=20 then great, if you don't agree with me then great!</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Let me = start out by=20 saying that I personally don't have a problem with what SF is = doing,  After=20 all, if I didn't want to pay I can still get the rules 5 days later for = free or=20 write my own.  but since I need the rules pretty fast = (and I am=20 not the best at writing rules..) I was ok with paying the=20 subscription fee.   So I mosey on over to snort.org and = try to=20 sign up.  </FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well, = all I can say=20 is that if you are like me and don't mind paying the subscription,=20 then GOOD LUCK!!  Finding the pricing is damn near impossible, = and=20 when you follow the link to even sign up, it tries to take you to a = secure=20 site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it doesn't = protect=20 snort.ort  it is for sourcefire.com)   then when I get to = the=20 signup page, firefox reports that this site is not secure at all (even = though it=20 says https, there is no encryption going on) Yean I'm gonna transmit = info=20 plaintext..NOT!   And still no mention of how much it costs = until=20 after you create an account.....  Oh and for all you ACID users out = there,=20 I just found out that you can't do a rule lookup anymore even if you are = a=20 subscriber ( In their defense, they DO say the rule lookup function = is=20 forthcoming and I am sure some clever person will write a patch=20 eventually)</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005></SPAN><SPAN = class=3D038145717-08032005><FONT=20
face=3DArial size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I = completely=20 understand why Sourcefire is changing the way the rules are distributed, = and I=20 support them in it after all, they do deserve to get paid for hard work, = however=20 if they are going to make a change like this that affects the whole = snort=20 community, then I would request that they at least make sure that = everything=20 works before they put it live!</FONT></SPAN></DIV> <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2>Thanks!</FONT></SPAN></DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D038145717-08032005><FONT face=3DArial = size=3D2></rant=20 mode></FONT></SPAN></DIV></BODY></HTML>

------_=_NextPart_001_01C5240B.5F3CA0AD--


--__--__--

Message: 12
Subject: RE: [Snort-users] My Experience with the new Sourcefire VRT rules..
Date: Tue, 8 Mar 2005 13:32:25 -0500
From: "Scott Morris" <Scott.Morris at ...13146...>
To: <snort-users at lists.sourceforge.net>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C5240D.2CB8F750
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=20
    It is a new site so I'll give them slack there. However our corporate counsel had  apoplexy when he saw the license terms.
Particularly the granting access to books, records and facilities.=20 =20 You will, from time to time and as requested by Sourcefire, provide assurances to Sourcefire that you are using the VRT Certified Rules consistent with a Permitted Use, and you grant Sourcefire access, at reasonable times and in a reasonable manner, to the VRT Certified Rules in your possession or control, and to your books, records and facilities to permit Sourcefire to verify appropriate use of the VRT Certified Rules and compliance with this Agreement.

	-----Original Message-----
	From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Marc Hering
	Sent: Tuesday, March 08, 2005 1:20 PM
	To: snort-users at lists.sourceforge.net
	Subject: [Snort-users] My Experience with the new Sourcefire VRT rules..
=09
=09
	=20
	Well,=20
	I know there has been a lot of debate over the new VRT Rules and licensing methods from Sourcefire.  I was staying on the sidelines due to my relative newness to Snort in general, but now that I have had some interaction with the new website I wanted to let everyone know my experiences..  This is just what happened to me, and I am not trying to start any flame wars...so if you agree with me then great, if you don't agree with me then great!
	=20
	Let me start out by saying that I personally don't have a problem with what SF is doing,  After all, if I didn't want to pay I can still get the rules 5 days later for free or write my own.  but since I need the rules pretty fast (and I am not the best at writing rules..) I
was ok with paying the subscription fee.   So I mosey on over to
snort.org and try to sign up. =20
	=20
	Well, all I can say is that if you are like me and don't mind paying the subscription, then GOOD LUCK!!  Finding the pricing is damn near impossible, and when you follow the link to even sign up, it tries to take you to a secure site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it doesn't protect snort.ort  it is for sourcefire.com) then when I get to the signup page, firefox reports that this site is not secure at all (even though it says https, there is no encryption
going on) Yean I'm gonna transmit info plaintext..NOT!   And still no
mention of how much it costs until after you create an account.....  Oh and for all you ACID users out there, I just found out that you can't do a rule lookup anymore even if you are a subscriber ( In their defense, they DO say the rule lookup function is forthcoming and I am sure some clever person will write a patch eventually)
	=20
	I completely understand why Sourcefire is changing the way the rules are distributed, and I support them in it after all, they do deserve to get paid for hard work, however if they are going to make a change like this that affects the whole snort community, then I would request that they at least make sure that everything works before they put it live!
	Thanks!
	=20
	</rant mode>

------_=_NextPart_001_01C5240D.2CB8F750
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"=
>
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV><SPAN class=3D421582418-08032005><FONT face=3DArial color=3D#0000ff=20 size=3D2>    It is a new site so I'll give them slack ther= e.=20 However our corporate counsel had <!--StartFragment --><FONT=20 face=3D"Times New Roman" color=3D#000000 size=3D3> <FONT face=3DArial col= or=3D#0000ff=20 size=3D2>apoplexy when he saw the license terms. Particularly the grantin= g access=20 to books, records and facilities. </FONT></FONT></FONT></SPAN></DIV>
<DIV><SPAN class=3D421582418-08032005><FONT size=3D2></FONT></SPAN> = </DIV> <DIV><SPAN class=3D421582418-08032005><FONT size=3D2>You will, from time = to time and=20 as requested by Sourcefire, provide assurances to Sourcefire that you are=  using=20 the VRT Certified Rules consistent with a Permitted Use, and you grant=20 Sourcefire access, at reasonable times and in a reasonable manner, to the=  VRT=20 Certified Rules in your possession or control, and to your books, records=  and=20 facilities to permit Sourcefire to verify appropriate use of the VRT Cert= ified=20 Rules and compliance with this Agreement.</DIV></FONT></SPAN> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft><= FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
  snort-users-admin at lists.sourceforge.net=20
  [mailto:snort-users-admin at lists.sourceforge.net] <B>On Behalf Of </B>Ma= rc=20
  Hering<BR><B>Sent:</B> Tuesday, March 08, 2005 1:20 PM<BR><B>To:</B>=20
  snort-users at lists.sourceforge.net<BR><B>Subject:</B> [Snort-users] My=20
  Experience with the new Sourcefire VRT rules..<BR><BR></FONT></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,= =20
  </FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I kno= w there has=20
  been a lot of debate over the new VRT Rules and licensing methods from=20
  Sourcefire.  I was staying on the sidelines due to my relative new= ness to=20
  Snort in general, but now that I have had some interaction with the new= =20
  website I wanted to let everyone know my experiences..  This is ju= st what=20
  happened to me, and I am not trying to start any flame wars...so if you=  agree=20
  with me then great, if you don't agree with me then great!</FONT></SPAN=
></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Let m= e start out=20
  by saying that I personally don't have a problem with what SF is doing,=  =20
  After all, if I didn't want to pay I can still get the rules 5 days lat= er for=20
  free or write my own.  but since I need the rules pretty=  fast=20
  (and I am not the best at writing rules..) I was ok with paying&nb= sp;the=20
  subscription fee.   So I mosey on over to snort.org and = try to=20
  sign up.  </FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>Well,=  all I can=20
  say is that if you are like me and don't mind paying the subscription,=20
  then GOOD LUCK!!  Finding the pricing is damn near impossible= , and=20
  when you follow the link to even sign up, it tries to take you to = a=20
  secure site THAT HAS AN INVALID CERTIFICATE! (the cert is valid, but it= =20
  doesn't protect snort.ort  it is for sourcefire.com)   t= hen=20
  when I get to the signup page, firefox reports that this site is not se= cure at=20
  all (even though it says https, there is no encryption going on) Yean I= 'm=20
  gonna transmit info plaintext..NOT!   And still no mention of=  how=20
  much it costs until after you create an account.....  Oh and for a= ll you=20
  ACID users out there, I just found out that you can't do a rule lookup = anymore=20
  even if you are a subscriber ( In their defense, they DO say the r= ule=20
  lookup function is forthcoming and I am sure some clever person will wr= ite a=20
  patch eventually)</FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005></SPAN><SPAN=20
  class=3D038145717-08032005><FONT face=3DArial size=3D2></FONT></SPAN>&n= bsp;</DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2>I com= pletely=20
  understand why Sourcefire is changing the way the rules are distributed= , and I=20
  support them in it after all, they do deserve to get paid for hard work= ,=20
  however if they are going to make a change like this that affects the w= hole=20
  snort community, then I would request that they at least make sure that= =20
  everything works before they put it live!</FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2>Thanks!</FONT></SPAN></DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D038145717-08032005><FONT face=3DArial size=3D2></= rant=20
  mode></FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C5240D.2CB8F750--



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest






More information about the Snort-users mailing list