Is there any effort going on by anyone to move rules from the bleeding
groups to the official snort rules (after some proof the bleeding rules
are not really bleeding anymore)?
Not really. You'll find that a lot of rules are not "bleeding" anymore.
They have matured over time due to continues improvement. We have a
group of admins that on a regular basis review existing rules and
continuously tweak and improve them.
If we were to hand all rules over to Snort community, we would loose the
ability to continually work on rules.
That said, if they are duplicates in the rules sets, we work with the
Community guys to get rules transitioned and moved. There might be a
case or two where we have very similar rules, but the Bleeding rule
seems like a better rule. We need to figure out if Community moves them
to us, or if we both should keep them around. Personally, I'd like to
run the version with better hit rate but less false positives, so there
might be cases where I have a Snort or Community rule turned off and a
similar Bleeding rule turned on.
I think both Community and Bleeding rule repositories are mature and
here to stay. I don't think either one would go away, so you will always
have to manage these two (and perhaps other) repositories. Community
Snort and Bleeding are working together to bring you the best open
source IDS rules (and apparently the only open source rules). We
actually improve each other rules too,and re work together to spot and
remove duplicates.
If you were referring to moving rules into the VRT rule set, I can tell
that would never happen. The VRT rule set is restricted by a license
that is not compatible with the Bleeding (or Community) license. So
neither a Community (I would hope), nor a Bleeding rule would be moved
into the license encumbered VRT rule set.
Does that answer your question? If not, feel free to ask again in the
OSSRC mail list. The OSSRC, or Open Source Snort Rule Consortium, has
been formed to formally organize the cooperation between rule
repositories like Community, Bleeding, and hopefully others. Anyone that
maintains a public set of rules (like the old WhiteHat rules) is
encouraged to join the OSSRC so that we may all work together on
bringing you the best rules for the best IDS there is.
Yes, the above makes sense. It kind of bothers me that a significant
number of bleeding rules have been around for a while (and are very good),
but the naming convention (and process) essentially implies they are all
still bleeding-edge.
Based on previous postings relative to ossrc, the implication was that
production quality rules would be moved from bleeding into some snort sort
of open-source rule set (eg, community).
Apparently, I'm being overly sensitive to words...
Rich
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
