Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » Why would anyone want to submit a rule under VRT?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Why would anyone want to submit a rule under VRT?


Posted by Anti on March 08, 2005 08:26:26

Other than getting your name added to a contributors list, it would seem detrimental to the rest of the community to submit a rule this way. Shouldnt only the rules developed by Sourcefires VRT team go under this license?

Posted by BOfH on March 08, 2005 09:30:29

It would seem that you have a choice of license when you submit a rule. Stick with the GPL if you like.

If I were a subscriber (and I'm not right now), I might submit under the VRT license to share with my fellow subscribers.

At least you have a choice.

Posted by Anti on March 08, 2005 10:13:35

Yes there is a choice. My point it why would anyone ever submit under VRT when they can submit under GPL.

You saying that if you were a subscriber you would submit under VRT so that you could share with your fellow subscribers. Why not just submit under GPL and share with everyone including your subscribers?

My interperation in what has been stated was that VRT licensing was a way to ensure that all the research and money put in by Sourcefire Team on rules did not bascially get used by other companies. But by having the general user submit under this license would not benefit the community at all. And it would seem that Sourcefire will make money off your work and all you get is your name in the contributors.




Posted by BOfH on March 08, 2005 10:59:32

Because if I were a subscriber and I submitted under the VRT license, I would only be sharing with my fellow paid subscribers. I could also be sure that my work wasn't being leeched by other companies and used by them.

Of course, after five days, the rules would be distributed to everyone else anyway.

As a non-subscriber, I will stick with the GPL submission when I have something to offer.

Posted by Anti on March 08, 2005 11:37:00

So if you can afford to pay for VRT and I cant then you would rather just share your rules with others who can afford it(ie. your fellow paid subscribers). Once again this make absolutley no sense to me. Why not share with everyone for the good of the internet in general?

Also you said you wouldnt want your work leeched by other companies. Well isnt that exactly whats happening if you submit under VRT. Sourcefire now sells your rules to their customers and VRT subscribers. How much money did you make for your work? A big 0!.


Posted by mwatchinski on March 08, 2005 12:00:34

There are a couple of reasons one might submit a rule under the VRT license.

The first of which, is that it is a challenge. The VRT enforces strict criteria on any rules being considered for inclusion into the rule set. Some of these criteria are.

1. Detailed documentation for the rule.
2. Associated Pcap of attack traffic.
3. Rule must find the vulnerability and not the exploit.
4. Must not adversely affect snorts performance.
5. etc....

Additionally as you pointed out it gives you fame and glory as you will be recognized for your accomplishment if the rule is accepted, and you want to be publicly recognized.

On top of that it shows technical skill in a number of different areas that seperates you from everyone else.

Posted by BOfH on March 08, 2005 12:45:11

"Why not share with everyone for the good of the internet in general?"

You want to use a BSD license for everything?

"How much money did you make for your work? A big 0!."

That's about the same amount as you make for GPL rules that folks from other companies have taken and sold without regard for licensing.

My point is still that you have a choice, it's your choice, as a registered user I can choose to submit my rules under two schemes. It could be more (although that would get unmanageable no doubt) but it is certainly better than having no choice.

Reading the post above, heck it would be a good challenge to get some rules included in the VRT set.

Posted by Anti on March 08, 2005 13:01:24

Shouldnt these be requirements for any rule you submit? Also can you point me to where you actually read these are VRT requirements because I cant seem to find that. I went through both submissions and both ask for the same things you talked about (pcap,documentation,rule....). So wether you submit GPL or VRT the challenge is in making the best rule not how you submit it.

If I spent my time making a good rule I would want the most people to get it and I would not want to submit it to Sourcefire to be there intellectual property. I would want to retain ownership of the rule since I worked hard for it.

I believe strongly in giving credit where credit is due. I dont think it matters if its a VRT or GPL. Ill attach a portion of the GPL license that enforces copyright.

I dont get in BofH you said your not a signed up for VRT but your preaching very highly for VRT and to prevent other companies from selling rules without regards for licensing. You sound like you should be a Sourcefire spokesman.Your willing to give away your intellectual property to Sourcefire and let them resell your hard work while you get nothing in your pocket. I would submit a rule under VRT if I could also collect on the profits made from my rule. Heck to be fair anyone that submit should get 1/(number of total rules) out of each dollar that the VRT rules make.Maybe a littl less for all the work Sourcefire will do in testing. But then if youve passed the 'challenge' and submitted a rule with VRT crtieria then you will alreay know it passes this.

--snippet--
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
--end snippet--









Posted by mwatchinski on March 08, 2005 14:17:56

If you write great rules and you want to get paid for them, send in your resume, we are hiring.

resumes (at) sourcefire.com

Posted by SamP on March 09, 2005 14:49:01

If someone can't afford to be a paid subscriber, they probably can't afford to have a state-of-the-art lab/testing facility that can simulate real traffic, real servers, real clients, etc in an enterprise type of environment and be able to simulate "real" attacks. Not the skiddy kind, but the corporate-espionage, state-sponsored .. "I'm not gonna trash your web-page with political agenda & gr33tz ... No, I'm gonna pilfer all kind of information & do real damage" kind.

Submitting to VRT will ensure that the sigs are op-tested as well as possible. As was already stated, the option belongs to the submitter. Plus, VRT rules go public in 5 days anyway. The only person who has a zero-day signature is the person that discovers a zero-day vulnerability.

BTW I'm not a paid subscriber, I just see the benefits to both systems.

Posted by novowels on March 09, 2005 18:11:11

Anti,

Your comments seem a little one sided...

--- quote ---
"If I spent my time making a good rule I would want the most people to get it and I would not want to submit it to Sourcefire to be there intellectual property. I would want to retain ownership of the rule since I worked hard for it. I believe strongly in giving credit where credit is due. I dont think it matters if its a VRT or GPL."

"Your willing to give away your intellectual property to Sourcefire and let them resell your hard work while you get nothing in your pocket. I would submit a rule under VRT if I could also collect on the profits made from my rule."
--- quote ---

Without Snort there are no rules, without the community there is no snort. Without Snort or the community there is no opportunity for recognition...

It is a balance, you can choose what is appropriate for you and what you are comfortable with. To sit here and complain that you cannot profit by riding the works of others makes me think you are the same as the people that created the need to change the license.

Posted by Anti on March 10, 2005 07:57:02

Are rules that are submitted under GPL not tested?I dont see that anywhere. You would assume that if rules are going to be bundled with Snort that they would go through test as well and not blindly thrown in there.

Im not sure where your going with your having money and simulating a real attack.I dont need money to be able to afford linux or gcc or gdb. It does not take money for me to understand how an expoit works or what network traffic would look like that that is exploiting a vulnerablitly.While I may not be able to run millions of tests and determine if there is possbile false postives I can still write an excellent rule with the knowledge I possess. I would also say that 'skiddy attacks' are more common and can do just as much damage, the goal of the skiddy is arbitrary its only the fact that the cant reverse engineer or write exploit code and uses pre-published exploits that makes them a skiddy.

And novowels your obviously missing the point of this whole topic. I do not want any money at all. I agree with VRT in the sense that if Sourcefire has this expensive lab and all these employees that are making rules that they should profit from them. My point is why should 'Joe Public' submit a rule under this license. Sourcefire made this big announcement about all the hard work there doing and money there putting in and there not getting paid for it but then they ask the community to submit rules under VRT. Im saying it serves the community best wether you can afford VRT rules on not to submit under GPL. Then VRT and community people get to share modify and retain possession of the rules. Let the Sourcefire research team do there own work and get paid for it and not make money off the community that does rule work.


On a side note, its a little disturbing that you can have conversations with people you think are just average people in the community only to learn that there Sourcefire employees. I think if your a employee of Sourcefire you should have some sort of title under you name like most forums would.




Posted by Spugee on March 10, 2005 10:25:37

I agree with SamP .. the VRT rules basically go public in 5 days anyway. I think the VRT is an interesting development, you gotta figure Marty made one of the best damn programs on the planet and gave it away... now other corporations are making millions on forked technology. Marty ( and his team ) deserve to eat, buy a house, have a car, etc.. and if this is one way to do that I'll support it as well as I can. I'd much rather see a rule submitted get used for Snort only and not end up in a large corporate product making money for executives who don't understand or care about the technology underneath, and if that means helping support those who created the product, that much the better.

Posted by Anti on March 10, 2005 14:01:11

Im sure Marty has all those things and then some. Im sure Sourcefire makes a lot of money with sales as well as the 10's of millions theyve received in funding. I very much doubt anyone at Sourcefire has a shortage of money. Why would the rules go anywhere else but Snort, wether there GPL or VRT there snort designed rules. Are you saying someone would port them to another product?

Do you think Linus Torvalds should get money from Red Hat or Mandrake because he started Linux. I would say Linux is the best piece of software ever given away for free. And it has stayed with its open source roots. I would bet Sourcefire uses BSD or Linux in their appliance. Should they be sending money to Linus?

Ive never once said they dont deserve money for the work they invest in making VRT rules. Im saying why should 'Joe Public' submit them this way. 'Joe Public' gives away his right to a rule that he worked hard for. It now becomes Sourfire Intellctual Property. 'Joe Public' doesnt get paid a dime.

Posted by roesch on March 11, 2005 10:30:39

Oh yeah, everyone at Sourcefire is just swimming in money...

It's pretty simple. If you want to see if your rules measure up to the commercial grade that we develop to here, you have a route. There could be other benefits as well, such as reputational and possibly even financial (like a job in Sourcefire Research) if you really distinguish yourself. Hell, there could even be free t-shirts in it someday, I can't really say.

If you just want to do GPL rules, go ahead and have fun. If you want to work with us for the potential of the benefits I listed above, that's cool too. It's not something to get upset about, if you don't like it don't do it, if you do we'd be glad to check out your contribution.

-Marty (Sourcefire employee)

Posted by SamP on March 13, 2005 15:39:14

Anti,
You're absolutely correct. You should never submit a rule to VRT under any circumstance. Stick with the GPL option or even submit to BleedingSnort. That is the option that SourceFire has provided.

However, even though you may have the knowledge, understanding, equipment to run open-source tools, and "time" to test a signature properly, I think you should acknowledge and/or respect the fact that there are those who do not have one or more of these resources (especially equipment and/or time) & therefore would willingly give a signature or two (or more) to the VRT.

SamP
(No connection to SourceFire, Snort, BleedingSnort, Marty Roesch, Brian Caswell, Matt Jonkman, etc. whatsoever ... Just a lil contractor that likes to use snort).

Posted by vision on March 19, 2005 14:10:15

"Without Snort there are no rules"

This statement is patently false. There are indeed rules without snort; each commerical IDS has it's own rulebase, arachNIDS (the sleeping database, multiyear nap) exported rules to half a dozen IDS, and even desktop firewalls are getting in on the act. There are signatures abound.

Back on topic: I agree with the VTR license because I can understand the frustration of seeing a body of work being exploited for profit by companies. It is my opinion that Sourcefire/Snort is following the mold cast by Tenable/Nessus - another great free security soft out there that has been leeched to death with minimal return from those who profited. I hope it works out..

Posted by lubo on April 11, 2005 00:48:16

it is understandable that a security research has to pay off.. but on the other side Sourcefire should provide some kind of overview of which rules are in VTR (those less then 5 days old), so that people dont write rules that already exist..
so maybe a researcher subscribtion for those who submited at least 1 rule would be nice..

And I also hope that ALL VTR rules older than 5 days are in the GPL rules..

PS: stating that people don't have research facility/equipment if they dont want to/cant pay for subscription is wrong.. you would be shocked to see what some people have at home..
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.