Wednesday, March 27, 2013

The Talos Community ruleset is live!

As I discussed last week in my blog post concerning the recent Snort Subscriber Rule license changes (blog post can be found here:  http://blog.snort.org/2013/03/vrt-rule-license-change-v20.html), the community ruleset, something we've been planning here in at Talos is finally live!

The Community Ruleset is a GPLv2 Talos certified ruleset that is distributed free of charge without the Snort Subscriber Rule Set License restrictions, without delay, and without oinkcode restriction.  It consists of the original GPLv2 rules (SIDs 3464 and below) as well as any rules that have been submitted to us to date for inclusion in the VRT ruleset.

This ruleset is updated daily and is a subset of the subscriber ruleset. If you are a Snort Subscriber, the community ruleset is already built into your download.  The subscriber ruleset will continue to be published on Tuesdays and Thursdays.

If you are a registered user (under the 30-day delay) you may also include this ruleset in your Snort installation to stay current.  If there are SID conflicts when Snort starts up between the two rulesets Snort will always take the higher revision number or "rev".  In most cases this will be the community ruleset.

The ruleset is designed for the most recent version of Snort. This isn't to say that the ruleset won't function on older versions of Snort, we just design this up to date and living ruleset for  the most current version of Snort in production.

There are no shared object rules in the community rulepack.

You may download the Community ruleset by editing your pulledpork.conf and adding the following line to your "rule_url" section:
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community

The SVN version of pulledpork also contains this functionality, and a new release of pulledpork will be pushed soon.

The authors of the rules in the community ruleset are listed in the AUTHORS file inside the tarball.

If you would like to submit to the community ruleset, you may do so by emailing your rule to vrt [at] sourcefire [dot] com.  We require a pcap for the traffic your rule is supposed to detect, and in lieu of a pcap, references, screenshots or something needs to be provided to give us some indication of what your rule is written to fire on.

Rules submitted to Talos on the Snort-sigs mailing list will also go into the community ruleset with full attribution to the author.

We look forward to working with you all and the many people that have already submitted rules to us in order to make this a vibrant living and breathing ruleset!  It's been a long time coming, so thanks for being patient with us!

If there are any questions, please send them to the Snort-sigs mailing list listed above!

I'd like to thank Miklovin of Talos for writing the software to make this all happen!