[Snort-users] rules downloads and whatever..

SN ORT snort_on_acid at ...131...
Tue Sep 19 15:45:26 EDT 2006

I'm talking strictly what used to be at snort.org,
where new sigs used to come out free, every night or
close to that. Whatever SF does is not related to what
I'm saying here. I'm talking about the non-commercial
side of Snort. The commercial side of Snort grew from
EXACTLY my point, "build confidence, reputation, and
then start making the big $$$$$!" (Hey, I'm all for
that!) For new sigs, you either gotta go somewhere
else, get/develop your own, which now requires
significantly more manual effort, wait a few days for
snort.org to release the free ones or pay for
subscription sigs if you want to take a more proactive
approach (OK, who doesn't want to catch 0-day
exploits? Or even 1-day!?) But this is all IDS stuff
anyways. What good is IDS AFTER the fact? You could
always tell your boss, "Hey, here's what we were hit

I wouldn't pay for an IDS, I'd pay for IPS and the
things I use to proactively protect my network, which
have support for 0-day exploits. 

Anyways I think we all know the comunity-developed
rules are a bit of a joke. They may be somewhere on
the order of 5-day exploit detection...and even then,
like I said, it's only detection. Serious, error-free
or damn close to err0r-free, proactive exploit
protection is what I use, and for many years now,
while most other people are out there still afraid to,
"block legitimate traffic!" Too many people worried
about the "new worms". I could care less about
viruses, I just want to keep out any exploits, and not
worry about the carrier. Sorry, got off topic there. 



Message: 4
Date: Tue, 19 Sep 2006 13:47:58 -0400
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] rules downloads and
To: SN ORT <snort_on_acid at ...131...>
Cc: snort-users at lists.sourceforge.net
Message-ID: <45102D4E.4050006 at ...4108...>
Content-Type: text/plain; charset=ISO-8859-1

SN ORT wrote:

> Oh well, since you know Marty so well, you're like
> close friends now, maybe you can explain why people
> now have to pay for the latest sigs?

Erm, you only have to pay to get the latest signatures
that SourceFire developed
internally. All the community-developed rules are not
delayed, nor for pay.

Also previously these SourceFire signatures were not
available on a early basis
to normal snort users at all, only users of the
commercial sourcefire boxes
could get them early. Snort users had to wait. This is
the way been. SF made no
secrets about it, and I do recall it being mentioned
several times on the list
that they updated their commercial subscribers first,
then made their releases
to the snort userbase later. This is all long before
the for-pay option existed.

So while this looks like SF is taking something away
to gain a profit, they're
really offering something they never offered before.
It's a way for the free
product users to step up to the same level of rule
updates as the commercial
product, but with reduced cost (and none of the other
commercial product
features like RNA).

Personally, I like it, and think it's a good way for
SF to get money to continue
to feed their rule research team.

> I'm not faulting people for
> trying to make a buck, I'm just saying it's a bit
> foolish to rely soley on a free product to protect
> your network and expect it to remain free and last
> forever.
> Open source is a Godsend, but let's be realistic:
> another reason to make a great open-source product
> to build confidence, reputation, and then start
> the big $$$$$! This is a natural progression of
> things, and sooner or later programmers have to make
> money.

While there's some truth in what you say, there's also
a lot of fallacy in it.
Many free products do have a lot of potential to last
forever. These are mostly
tools where the developer needs the tool help them in
their normal for-pay job.

Tools like tcpdump/Ethreal will probably always have
developers contributing to
it for free, because many developers working on other
network technologies rely
on it, and often find/fix bugs in it as a side-effect
of doing other for-pay work.

Now I'd agree, snort may not fall into this, but it's
a pure fallacy to think
this can't ever happen to any software tool. It can,
and does.


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the Snort-users mailing list