[Snort-users] [Snort-sigs] Snort EOL Reminder

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...11827...
Thu Dec 1 16:50:17 EST 2011

Shawn, this is a good question.

Simply put, the VRT ruleset is geared more toward exploits and ET is
geared more toward malware and, obviously, emerging threats.  That
said, there is a lot of overlap.  My understanding is that a lot of
effort went in to the ET ruleset (open and pro) before the ET Pro
launch and some of that was adding rules so the ET ruleset covered a
lot of what VRT covered as well. I could be wrong about that (I'm not
officially affiliated with VRT or Emerging Threats by the way).

The ET Pro ruleset does have coverage for stuff like the monthly
Microsoft vulnerabilities and more.  I believe they have access to the
MS patch pre-release data MS gives to security companies (this is one
reason why ET Pro requires a NDA I believe).  This, along with the
support, active development, and QA is why ET Pro is not free.
Speaking of NDA, there is one of those but the rules are still all
text based which is nice because you can get a better idea of why a
rule fired, unlike some VRT GID3 rules that are closed source.  I
guess ET just expects you to abide by the NDA and they only do
business with legit companies.

Personally, I stopped updating the VRT rules a while back.  The rules
were not very efficient or timely enough for me.  I still run a few
older ones I find useful from time to time.

This is just my 2 cents; Matt could probably give you a more detailed
and better answer; I'll include him on this response.  You may also
wish to ask the emerging-sigs mailing list
(http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs) for
people's opinions.


-L0rd Ch0de1m0rt

On 12/1/11, Jefferson, Shawn <Shawn.Jefferson at ...14448...> wrote:
> I've been curious what the differences between the ET paid rules and the VRT
> subscription rules are? I'm hoping this can be discussed without opening a
> huge flame war. :)  For background, I'm currently running the VRT
> subscription rules with the ET free rules.
> For instance, the VRT is part of the MS program that releases vuln data
> early (and typically these rules are .so rules).  Does ET get this data?
> How do they deal with non-disclosure, since I think all the rules are text
> based?
> For the most part, is everything in the VRT ruleset covered in the ET
> ruleset?  Could I drop VRT for instance and just run ET pro?
> -----Original Message-----
> From: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt at ...11827...]
> Sent: Thursday, December 01, 2011 1:06 PM
> To: Joel Esler
> Cc: snort-sigs at lists.sourceforge.net; snortusers at ...14071...;
> snort-users at lists.sourceforge.net Users; Snort-Signatures
> Subject: Re: [Snort-users] [Snort-sigs] Snort EOL Reminder
> Thanks for the reminder, Joel.  Those who can't upgrade to a newer or newest
> version of Snort, or wish to use a different ruleset alongside, or instead
> of the VRT set, should definitely check out Emerging Threats Pro --
> http://www.emergingthreatspro.com/.  The Emerging Threats Open rules are
> free and updated almost daily to respond to the latest threats and I have
> found them to be quite effective, timely, and properly QAed.  There are also
> some you can pay for as well (cheaper than VRT I think); see
> http://www.emergingthreatspro.com/products/ for details.
> Emerging Threats Open/Pro supports rules for Snort 2.4.0 up to the current
> version, as well as rules optimised for Suricata
> (http://www.openinfosecfoundation.org/index.php/download-suricata).
> Personally, I like https://rules.emergingthreatspro.com/open-nogpl/.
> That said, if you are still running an older version of Snort, I highly
> encourage you to update since there are a lot of new and extremely helpful
> features in newer versions that allow for more accurate and efficient rules.
> Cheers,
> -L0rd Ch0de1m0rt
> On 11/28/11, Joel Esler <jesler at ...1935...> wrote:
>> As a reminder, today's rule release marks the last rule release for
>> Snort
>> http://blog.snort.org/2011/11/vrt-rule-update-for-11282011.html
>> Please upgrade to the current version of Snort ( available at
>> http://www.snort.org/snort-downloads
>> Our EOL policy and dates of EOL for Snort versions can be found here:
>> http://www.snort.org/vrt/rules/eol_policy
>> Thanks!
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security threats,
> fraudulent activity, and more. Splunk takes this data and makes sense of it.
> IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

More information about the Snort-users mailing list