[Snort-users] [Emerging-Sigs] [Snort-Sigs] Re: [Snort-sigs] Snort 220.127.116.11 EOL Reminder
jesler at ...1935...
Fri Dec 2 14:50:04 EST 2011
On Dec 2, 2011, at 2:35 PM, Matthew Jonkman wrote:
> Ya, we went through all this for a while, and for a number of reasons (of which I recall a few I'll put below) we decided itd be easier to fork. I did not realize though that you maintain the old community rules in the vrt tarball. Is that really so?
Of course. Our detection is continually updated and it will continue to be updated with new features when we are rolling them out. We have plans for the future that may effect a vast majority of these rules.
> Reasons I recall for the fork though:
> 1. Any changes vrt makes aren't public for 30 days. We don't want to wait there, or have to be pulling and picking apart the vrt tarball every release to find them.
> 2. We support many more versions of snort, and we have to maintain the older versions as they were, which makes all sorts of admin headaches when they change to new versions only in the vrt version
Which is one of the many reasons why we don't. We build features into Snort for a reason, to make detection better and easier. We believe that supporting old versions is incorrect and is like Microsoft continuing to support NT forever. It's just bad business.
> 4. I can't recall an example at the moment, but there may be cases where we want to set a flowbit for an ET rule in a gpl sig, which I imagine VRT wouldn't want to maintain if they didn't have the rule which checks it
> It isn't any insult that we moved them, don't take it that way.
No. I was one of the advocates for you moving them if you remember correctly. We can't have other people using our SIDs. It's bad enough we have different detection with same "pseudo" sid.
More information about the Snort-users