Re: [Snort-users] Licensing
This is a discussion on Re: [Snort-users] Licensing within the Snort forums, part of the System Security and Security Related category; One other point: We run the rules through an extensive QA process to verify that they function correctly and that ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-08-2005
|
|||
|
|||
Re: [Snort-users] Licensing
One other point: We run the rules through an extensive QA process to
verify that they function correctly and that the entire rest of the rule set functions properly after integration (i.e. a full regression test). We run on the order of 6.8 million tests every time we QA a new rule set to verify that the rules still fire as they should don't fire when they shouldn't. We also pay attention to performance when we develop rules so that our gigabit sensors don't turn into 100Mb sensors, it's entirely possible to write PCRE rules that take *seconds* to run per packet... Additionally, we have the capability in house to develop rules for vulnerabilities that don't have public exploits available in the wild. A good example of this was the LSASS.EXE vulnerability that turned into the Sasser worm. We got notification of the vulnerability along with the rest of the world on Microsoft Tuesday and quickly reverse engineered the vulnerability and generated rules. We had rules available that could pick up almost every variant of Sasser a week before the worm hit. A more recent example is all the updates that we've added to netbios.rules for things like ms05-010 and ms05-011. We have an extensive research and testing capability that we've developed over the years here and it's translating directly into high quality rules that allow Snort to have accurate detection while retaining high performance capabilities in addition to having rules that are available in advance of exploits. That's the value associated with the VRT rules today and we intend to bring more to the table as the service matures. -Marty On Mar 8, 2005, at 2:54 AM, Lee Clemens wrote: > I assume, by "the rest", you mean the community rules? My > understanding is > that the VRT rules are the ones produced and looked over by SF and > released > with each major Snort version (Snort point x._._). Getting the newer > versions basically means you will have rules that are more current with > ongoing network/internet activities/vulnerable/worms/viruses that are > out > there at that given time. > > An example might be if virus.X comes out, new rules would be written > and > released by VRT to detect it (possibly long) before a new major > version of > Snort may be released. > > I hope that helps clarify your question...if it doesn't please let me > know > more specifically what your question is. Basically, it gives you > advanced > detection capabilities... > > --Lee > > -----Original Message----- > From: snort-users-admin@lists.sourceforge.net > [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Florin > Andrei > Sent: Tuesday, March 08, 2005 12:15 AM > To: snort-users@lists.sourceforge.net > Subject: Re: [Snort-users] Licensing > > On Mon, 2005-03-07 at 21:53 -0500, Martin Roesch wrote: > >> 3) VRT rules developed and QA'd at Sourcefire will be available for >> commercial redistribution if the commercial entity acquires a license >> from Sourcefire. > > Can someone explain to a guy who used Snort long time ago but didn't > keep in touch - what are the VRT rules and how are they different from > the rest? I know they're QA'd by SF, i wonder from a practical > standpoint - what do they give me, a Snort user, that the other rules > don't? > > -- > Florin Andrei > > http://florin.myip.org/ > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real > users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real > users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > > -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. - http://www.sourcefire.com Snort: Open Source Intrusion Detection and Prevention - http://www.snort.org ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
