Paul wrote:

So then where does the ClearOS IDS update subscription come from?

Mostly Emerging Threats, but it's a moving target. When a new rule set appears:

- We merge in the rules (at least the good ones!)
- Apply intrusion prevention (snortsam) tags on a subset of the new rules
- Sanity check since some rules assume won't always work (depends on variables set in snort.conf)

It's not 100% automated and probably never will be. A human needs to review and test the changes every week.

Peter Baldwin wrote:

...so it's possible to roll this out as a paid app.

So then where does the ClearOS IDS update subscription come from?

I may delve back into Snort again at some point and install the VRT rules myself, but I'm lazy and have other interests nowadays. I'd like an easier way to do it - that's why I decided to try ClearOS in first place. I found building my own custom gateways becoming too time-consuming and boring, so I really don't mind paying you guys to do that!

In any case I still like the VRT rules idea. Easy, messy, DIY, whatever doesn't matter. Just exploring the options...

This is an interesting concept. I would greatly appreciate the ClearOS dev team researching the availability of the 30 day old definitions. This would bring it in line with the 5.X model that I sold ClearOS to my clients on. You get all this stuff for free as part of the package. It does not update as often or as quickly, but it does continue to get updated.

Yup, ClearCenter investigated this a couple of years a ago -- a licensing/redistribution fee is required. The framework in ClearOS 6 was changed to support multiple rule set vendors, so it's possible to roll this out as a paid app. To make it a free app, an end user would have to manually create a SourceFire account and set their "Oinkcode" via a webconfig app. Messy.

This is an interesting concept. I would greatly appreciate the ClearOS dev team researching the availability of the 30 day old definitions. This would bring it in line with the 5.X model that I sold ClearOS to my clients on. You get all this stuff for free as part of the package. It does not update as often or as quickly, but it does continue to get updated.

IANAL, but based on my cursory review of the license, it appears the ClearOS devs could be legally distributing the 30-day late VRT rulesets as Community Edition updates, if they were inclined to do so. Section 2.2(a):

a) Download, install, use and deploy the Registered User VRT Rules on Snort® sensors that such Registered User manages (over which such Registered User has administrative control);

This would seem legitimate to me in terms of defining "administrative control" as the portion of the system where software updates are provided by/through Clear for registered instances of the Community Edition.

I think this provides an interesting example of how the GPL token may or may not get pased through various users "registration" systems, and may or may not be invoked for revenue generation purposes.

Also there are lots of rules on the Emerging Threats site. I have a script on this forum to automatically update ET rules but it needs a bit of updating for the new version of snort and file locations in ClearOS 6.x. I won't be doing that until after I upgrade my server, but it is pretty easy for anyone to do.

The VRT-certified rules subcribers pay for are available for free download to registered users at the snort.org site 30 days after initial release.

Alright, that makes plenty of sense. I am cheap, so its time to figure out how to get the ET updates coming in automatically.

Hi Chris,

A loooong time ago, Snort moved from open source to paid subscription for their rules. We maintained these rules for 5.x, but we were falling behind on quality ... bit by bit. With version 6, we now have two rule sets:

- GPL / free from Snort: 525 rules, old, and not very useful unfortunately.

- Intrusion Protection Updates - a paid app with 12,000+ rules. Yes, 12,000 rules. Most of the rules are from Emerging Threats, but we tweak the rules quite a bit.

You can get the Intrusion Protection Updates in the Community Edition, so it's no different than Professional. In other words, this is a 5.x-to-6 change, not a Community-to-Professional change.