[Snort-users] [Snort-sigs] Snort 220.127.116.11 EOL Reminder
jonkman at ...15020...
Thu Dec 1 16:56:18 EST 2011
Thanks for the good words. Both rulesets are quite good, just different focus for each, and different platforms supported.
I think it'll cause much more heartburn if I were to explain my percetion of the differences in the rulesets on the sourcefire lists here, so if no one minds I'll take that over to the emerigng-sigs list and we can talk about it more there.
On Dec 1, 2011, at 4:50 PM, L0rd Ch0de1m0rt wrote:
> Shawn, this is a good question.
> Simply put, the VRT ruleset is geared more toward exploits and ET is
> geared more toward malware and, obviously, emerging threats. That
> said, there is a lot of overlap. My understanding is that a lot of
> effort went in to the ET ruleset (open and pro) before the ET Pro
> launch and some of that was adding rules so the ET ruleset covered a
> lot of what VRT covered as well. I could be wrong about that (I'm not
> officially affiliated with VRT or Emerging Threats by the way).
> The ET Pro ruleset does have coverage for stuff like the monthly
> Microsoft vulnerabilities and more. I believe they have access to the
> MS patch pre-release data MS gives to security companies (this is one
> reason why ET Pro requires a NDA I believe). This, along with the
> support, active development, and QA is why ET Pro is not free.
> Speaking of NDA, there is one of those but the rules are still all
> text based which is nice because you can get a better idea of why a
> rule fired, unlike some VRT GID3 rules that are closed source. I
> guess ET just expects you to abide by the NDA and they only do
> business with legit companies.
> Personally, I stopped updating the VRT rules a while back. The rules
> were not very efficient or timely enough for me. I still run a few
> older ones I find useful from time to time.
> This is just my 2 cents; Matt could probably give you a more detailed
> and better answer; I'll include him on this response. You may also
> wish to ask the emerging-sigs mailing list
> (http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs) for
> people's opinions.
> -L0rd Ch0de1m0rt
> On 12/1/11, Jefferson, Shawn <Shawn.Jefferson at ...14448...> wrote:
>> I've been curious what the differences between the ET paid rules and the VRT
>> subscription rules are? I'm hoping this can be discussed without opening a
>> huge flame war. :) For background, I'm currently running the VRT
>> subscription rules with the ET free rules.
>> For instance, the VRT is part of the MS program that releases vuln data
>> early (and typically these rules are .so rules). Does ET get this data?
>> How do they deal with non-disclosure, since I think all the rules are text
>> For the most part, is everything in the VRT ruleset covered in the ET
>> ruleset? Could I drop VRT for instance and just run ET pro?
>> -----Original Message-----
>> From: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt at ...11827...]
>> Sent: Thursday, December 01, 2011 1:06 PM
>> To: Joel Esler
>> Cc: snort-sigs at lists.sourceforge.net; snortusers at ...14071...;
>> snort-users at lists.sourceforge.net Users; Snort-Signatures
>> Subject: Re: [Snort-users] [Snort-sigs] Snort 18.104.22.168 EOL Reminder
>> Thanks for the reminder, Joel. Those who can't upgrade to a newer or newest
>> version of Snort, or wish to use a different ruleset alongside, or instead
>> of the VRT set, should definitely check out Emerging Threats Pro --
>> http://www.emergingthreatspro.com/. The Emerging Threats Open rules are
>> free and updated almost daily to respond to the latest threats and I have
>> found them to be quite effective, timely, and properly QAed. There are also
>> some you can pay for as well (cheaper than VRT I think); see
>> http://www.emergingthreatspro.com/products/ for details.
>> Emerging Threats Open/Pro supports rules for Snort 2.4.0 up to the current
>> version, as well as rules optimised for Suricata
>> Personally, I like https://rules.emergingthreatspro.com/open-nogpl/.
>> That said, if you are still running an older version of Snort, I highly
>> encourage you to update since there are a lot of new and extremely helpful
>> features in newer versions that allow for more accurate and efficient rules.
>> -L0rd Ch0de1m0rt
>> On 11/28/11, Joel Esler <jesler at ...1935...> wrote:
>>> As a reminder, today's rule release marks the last rule release for
>>> Please upgrade to the current version of Snort (22.214.171.124) available at
>>> Our EOL policy and dates of EOL for Snort versions can be found here:
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>> All the data continuously generated in your IT infrastructure contains a
>> definitive record of customers, application performance, security threats,
>> fraudulent activity, and more. Splunk takes this data and makes sense of it.
>> IT sense. And common sense.
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
>> Please visit http://blog.snort.org to stay current on all the latest Snort
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4399 bytes
Desc: not available
More information about the Snort-users