[Snort-users] [Snort-sigs] Snort 2.8.6.1 EOL Reminder

Matthew Jonkman jonkman at ...15020...
Thu Dec 1 16:56:18 EST 2011


Thanks for the good words. Both rulesets are quite good, just different focus for each, and different platforms supported. 

I think it'll cause much more heartburn if I were to explain my percetion of the differences in the rulesets on the sourcefire lists here, so if no one minds I'll take that over to the emerigng-sigs list and we can talk about it more there. 

Matt

On Dec 1, 2011, at 4:50 PM, L0rd Ch0de1m0rt wrote:

> Shawn, this is a good question.
> 
> Simply put, the VRT ruleset is geared more toward exploits and ET is
> geared more toward malware and, obviously, emerging threats.  That
> said, there is a lot of overlap.  My understanding is that a lot of
> effort went in to the ET ruleset (open and pro) before the ET Pro
> launch and some of that was adding rules so the ET ruleset covered a
> lot of what VRT covered as well. I could be wrong about that (I'm not
> officially affiliated with VRT or Emerging Threats by the way).
> 
> The ET Pro ruleset does have coverage for stuff like the monthly
> Microsoft vulnerabilities and more.  I believe they have access to the
> MS patch pre-release data MS gives to security companies (this is one
> reason why ET Pro requires a NDA I believe).  This, along with the
> support, active development, and QA is why ET Pro is not free.
> Speaking of NDA, there is one of those but the rules are still all
> text based which is nice because you can get a better idea of why a
> rule fired, unlike some VRT GID3 rules that are closed source.  I
> guess ET just expects you to abide by the NDA and they only do
> business with legit companies.
> 
> Personally, I stopped updating the VRT rules a while back.  The rules
> were not very efficient or timely enough for me.  I still run a few
> older ones I find useful from time to time.
> 
> This is just my 2 cents; Matt could probably give you a more detailed
> and better answer; I'll include him on this response.  You may also
> wish to ask the emerging-sigs mailing list
> (http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs) for
> people's opinions.
> 
> Cheers,
> 
> -L0rd Ch0de1m0rt
> 
> On 12/1/11, Jefferson, Shawn <Shawn.Jefferson at ...14448...> wrote:
>> I've been curious what the differences between the ET paid rules and the VRT
>> subscription rules are? I'm hoping this can be discussed without opening a
>> huge flame war. :)  For background, I'm currently running the VRT
>> subscription rules with the ET free rules.
>> 
>> For instance, the VRT is part of the MS program that releases vuln data
>> early (and typically these rules are .so rules).  Does ET get this data?
>> How do they deal with non-disclosure, since I think all the rules are text
>> based?
>> 
>> For the most part, is everything in the VRT ruleset covered in the ET
>> ruleset?  Could I drop VRT for instance and just run ET pro?
>> 
>> 
>> 
>> 
>> -----Original Message-----
>> From: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt at ...11827...]
>> Sent: Thursday, December 01, 2011 1:06 PM
>> To: Joel Esler
>> Cc: snort-sigs at lists.sourceforge.net; snortusers at ...14071...;
>> snort-users at lists.sourceforge.net Users; Snort-Signatures
>> Subject: Re: [Snort-users] [Snort-sigs] Snort 2.8.6.1 EOL Reminder
>> 
>> Thanks for the reminder, Joel.  Those who can't upgrade to a newer or newest
>> version of Snort, or wish to use a different ruleset alongside, or instead
>> of the VRT set, should definitely check out Emerging Threats Pro --
>> http://www.emergingthreatspro.com/.  The Emerging Threats Open rules are
>> free and updated almost daily to respond to the latest threats and I have
>> found them to be quite effective, timely, and properly QAed.  There are also
>> some you can pay for as well (cheaper than VRT I think); see
>> http://www.emergingthreatspro.com/products/ for details.
>> 
>> Emerging Threats Open/Pro supports rules for Snort 2.4.0 up to the current
>> version, as well as rules optimised for Suricata
>> (http://www.openinfosecfoundation.org/index.php/download-suricata).
>> Personally, I like https://rules.emergingthreatspro.com/open-nogpl/.
>> 
>> That said, if you are still running an older version of Snort, I highly
>> encourage you to update since there are a lot of new and extremely helpful
>> features in newer versions that allow for more accurate and efficient rules.
>> 
>> Cheers,
>> 
>> -L0rd Ch0de1m0rt
>> 
>> On 11/28/11, Joel Esler <jesler at ...1935...> wrote:
>>> As a reminder, today's rule release marks the last rule release for
>>> Snort
>>> 2.8.6.1:
>>> 
>>> http://blog.snort.org/2011/11/vrt-rule-update-for-11282011.html
>>> 
>>> Please upgrade to the current version of Snort (2.9.1.2) available at
>>> http://www.snort.org/snort-downloads
>>> 
>>> Our EOL policy and dates of EOL for Snort versions can be found here:
>>> 
>>> http://www.snort.org/vrt/rules/eol_policy
>>> 
>>> Thanks!
>>> 
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>> 
>> ------------------------------------------------------------------------------
>> All the data continuously generated in your IT infrastructure contains a
>> definitive record of customers, application performance, security threats,
>> fraudulent activity, and more. Splunk takes this data and makes sense of it.
>> IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-novd2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>> 


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4399 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111201/651e0d33/attachment.bin>


More information about the Snort-users mailing list