Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] bleeding -> snort rules?

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] bleeding -> snort rules?
Date: Sat, 03 Dec 2005 11:20:43 -0600 
On Sat, 2005-12-03 at 08:14 -0600, Rich Adamson wrote:

Is there any effort going on by anyone to move rules from the bleeding
groups to the official snort rules (after some proof the bleeding rules
are not really bleeding anymore)?


Not really. You'll find that a lot of rules are not "bleeding" anymore.
They have matured over time due to continues improvement. We have a
group of admins that on a regular basis review existing rules and
continuously tweak and improve them.

If we were to hand all rules over to Snort community, we would loose the
ability to continually work on rules.

That said, if they are duplicates in the rules sets, we work with the
Community guys to get rules transitioned and moved. There might be a
case or two where we have very similar rules, but the Bleeding rule
seems like a better rule. We need to figure out if Community moves them
to us, or if we both should keep them around. Personally, I'd like to
run the version with better hit rate but less false positives, so there
might be cases where I have a Snort or Community rule turned off and a
similar Bleeding rule turned on.


I think both Community and Bleeding rule repositories are mature and
here to stay. I don't think either one would go away, so you will always
have to manage these two (and perhaps other) repositories. Community
Snort and Bleeding are working together to bring you the best open
source IDS rules (and apparently the only open source rules). We
actually improve each other rules too,and re work together to spot and
remove duplicates.

If you were referring to moving rules into the VRT rule set, I can tell
that would never happen. The VRT rule set is restricted by a license
that is not compatible with the Bleeding (or Community) license. So
neither a Community (I would hope), nor a Bleeding rule would be moved
into the license encumbered VRT rule set.


Does that answer your question? If not, feel free to ask again in the
OSSRC mail list. The OSSRC, or Open Source Snort Rule Consortium, has
been formed to formally organize the cooperation between rule
repositories like Community, Bleeding, and hopefully others. Anyone that
maintains a public set of rules (like the old WhiteHat rules) is
encouraged to join the OSSRC so that we may all work together on
bringing you the best rules for the best IDS there is.

Cheers,
Frank




-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] bleeding -> snort rules?, Rich Adamson
Next by Date:  Re: [Snort-sigs] bleeding -> snort rules?, Rich Adamson
Previous by Thread:  [Snort-sigs] bleeding -> snort rules?, Rich Adamson
Next by Thread:  Re: [Snort-sigs] bleeding -> snort rules?, Rich Adamson
Indexes:  [Date] [Thread] [Top] [All Lists]