Snort VRT Rules
Results 1 to 5 of 5

Thread: Snort VRT Rules

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    236

    Snort VRT Rules

    So I went to the new snort.org website last night and I was able to download VRT rules. I have never registered for them nor was I even registered with the snort forum when I downloaded. Since I never clicked 'I agree' does that mean Im still subject to the licensing. Not that the licensing really effects me but I found it interesting with all the licensing talks lately that I could just goto the site and get the the VRT rules released on 3/10.

    Also would there be any reason I could not share these rules?I mean can I just upload them to this post and let whoever wants to get them just download from here?


    I just double checked to and now you cant download them so I guess they fixed there mistake.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    No thoughts on this?
    I thought for sure TigerShark would have his .02
    That which does not kill me makes me stronger -- Friedrich Nietzche

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I hadn't been there when you posted so I really couldn't comment. But I went there today....

    There's at least two sets of rules there.... Subscribers rules and Registered rules. The subscribers rules seemed to be "newer" but the registered rules were only a few days off IIRC. I clicked on the subscribers rules and got a short sharp "go away" so I scrolled down and clicked the next and got told I have to login... I logged in and there they were.

    I'm not overly concerned about the differences in the rulesets because I am more interested in the rules that will detect attacks against my "specific" systems. I really don't care about the latest PHP exploit or AWStats for example because I don't run the app publicly and there isn't anyone in my company that is sophisticated enough to be using exploits.

    If I can't find a quick fix rule on Bleeding Snort then I try to find the details of the exploit on the web and write my own... Full of FP's to start usually but I can refine as I go. If the exploit is critical and remote I will usually mitigate in any other way I can including shutdown of the service... But I have the benefit of having _no_ mission critical services publicly available.... So it's not a major issue for me.... I could be for a lot of others.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    I'm using the registered users version. So, I'm a couple of days behind. IMO, its not worth the $200/month to suscribe. Especially when there are other sites to get your rules. (bleeding snort, whitehats, mailing lists, etc)

    When you download and unpack the rules, the licensing agreement is in there.
    Take a look at that. IMO, if you are not using the suscriber version, you are not in violation. Everyone can get to the other rules.

    One thing that kinda pisses me off is the SID database on snort.org .

    In BASE, when you click on the "snort" button to find out about an signature alert, the page can't be displayed. I can't find any info yet on how to fix that. They changed their SID database and you get no info from the hyperlink. I have to manually search the rules which works... but is more of a pain. I liked before when you could just click on the link and it brought you to the data you were looking for.

    Aparently snortsnarf still works with it... but that doesn't help me much.
    I want to use it with BASE.

    [off topic]

    Don't want to hijack your thread, but its not worth starting a new one.

    Anyone know how to get it to stop overwriting my rules?
    When I use oinkmaster to update the rules, it doesn't merge the rules, it overwrites with new ones.

    So any of the rules I've commented out in the different categories are reset.

    My snort.cof stays the same, so that isn't a problem... just the updating of the rules.

    EDIT: Found out how... I can edit my oinkmaster.conf file to ignore certain rules and rulesets.

    [/off topic]
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Member
    Join Date
    Jun 2004
    Posts
    37
    By downloading the rules, you are subject to the license included with them.

    VRT rules, by far, are the most highly tested Snort rules out there. They are tested, created, and reviewed with the real vulnerability, the real exploit, and real packet captures.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •