[Snort-users] [Snort-sigs] [Emerging-Sigs] Snort EOL Reminder

Matthew Jonkman jonkman at ...15020...
Fri Dec 2 10:08:18 EST 2011

On Dec 1, 2011, at 9:45 PM, Jeff Kell wrote:

> On 12/1/2011 4:56 PM, Matthew Jonkman wrote:
>> Thanks for the good words. Both rulesets are quite good, just different focus for each, and different platforms supported. 
> Agreed, but for those of us that aggregate our layers of defense <grin>
> it would be very nice to have a ETPRO and ETPRO-noGPL just as you have
> an ET and ET-noGPL set.

That's not a bad way to go. You'll have duplicated cycles, but you'll have a net gain in coverage if your sensors can handle the load. 

So on the GPL duplication: We're moving the forked GPL sigs that we're maintaining up to the 2100000 sid range. That'll be complete today perhaps. We just have the imap category left to go. There were two reasons for that:

1. Let us forl those into suricata versions, and maintain old versions without conflicts and coordination issues

2. Allows you to easily disable the range if you're using them from another source. You can cat and grep them out, or do a disable range in whatever rule manager used. 

Does that work for those issues? NOTE: We push the useful GPL sigs from the old community ruleset (10 million range and up I think). I don't believe any of those are in the VRT tarball, so if you want those be sure to use the GPL stuff from our side and filter them out of VRT.

We could put up an ET Pro ruleset without the GPL stuff in there. Wouldn't be a huge deal to implement if it's necessary.

> With the current framework, you can't easily run VRT and ETPRO
> (duplication of filenames and signatures).

We generally recommend to ET Pro subscribers using VRT or another ruleset as well that you just drop them into separate directories and redefine the rules_path var between each. That keeps things clean and organized. The average rule manage gui shouldn't have the issue at all.

> You can however easily run sourcefire (non-VRT) plus ET (non PRO).

Yup! ALthough you'll be missing the community sigs if you go no-gpl.

Thanks Jeff!


> Jeff
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure 
> contains a definitive record of customers, application performance, 
> security threats, fraudulent activity, and more. Splunk takes this 
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4399 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111202/5678a692/attachment.bin>

More information about the Snort-users mailing list