As an active security researcher and enthusiast I have participated and/or came into contact with numerous security related communities in the past, but I can honestly say that none of them can compare to the open collaboration found at Emerging Threats on a daily basis.  Emerging Threats was founded by Matt Jonkman in early December of 2007 after Matt parted from his previous project Bleeding Edge (BleedingThreats).  Bleeding Edge was also a very successful project, and is where I first came into contact with Matt.  Bleeding Edge, in its day, was the premier place for malware and zero day Snort IDS signatures entirely driven by the contributions of a very active security community.  I am not privileged to the details as to why Matt left Bleeding Edge, but I do remember the shock I felt when he published his announcement to the mailing list on the 16th of November 2007 stating his departure.  I remember thinking that day what a loss for the security community and began to wonder if the project could survive without his participation.  Well long story short Bleeding Edge quickly died with the lack of new snort rule updates being published and the mailing list never receiving any feedback from the new leaders of the project.  It was really a sad few weeks for people like me that depended heavily upon the great snort signatures this community so actively published and made available to us free of charge.  Then I read an announcement from Matt announcing the Emerging Threats project with this post “Emerging Threats Online!!!“.

This announcement marked the start for what I would call one of the best open to everyone security communities online today.  Soon Emerging Threats picked up the support for the Bleeding Edge rules, Replicating the Bleeding Rulesets, and reopened the mailing lists for the community to participate in Matt’s new vision of a completely grant funded project.  Matt’s vision has lead to numerous other projects being hosted and/or sponsored by Emerging Threats.  These projects capture the creativity of some well known security community contributors such as William Metcalf, David Glosser, Victor Julien, James McQuaid, and many others.  I would definitely recommend anyone reading this post to take a serious look at these projects, as they are always looking for help and input to make them better.  Another great source for information regarding Emerging Threats snort rules and projects is the wiki, which houses a collaborative environment in which anyone that chooses to do so can provide comments and feedback regarding individual snort rules.

The Emerging Threats mailing lists are always active and some of the best community contributing snort signature writers out there participate on a daily basis.  This mailing list is not like several other mailing lists out there where a “n00b” (newbie) has to fear of being flamed by the guru’s on the list.  Instead beginners questions are answered in a professional and helpful manner providing for a very open and friendly collaborative environment.  I have seen situations arise from time to time where someone or some company representative has posted negative remarks regarding certain rulesets and/or specific signatures, but all of these situations were handled with professionalism.  Many times the answers to these complaints contain apologies and responsive corrections to errors or mishaps in a very short time frame.  Other times these posts are answered with requests for suggestions from the poster and community on how they can be corrected.  You really can’t ask for more than that from a project that is offering it’s services free of charge for all of us to benefit from where we see fit.  Warning the following is a rant so skip to the next paragraph if you don’t like to read rants!  I have had the pleasure of working for a very large organization for the last few years and during this time I have also had the pleasure of evaluating and demoing a wide range of IDS/IPS commercial solutions and/or products.  During these evaluations and demos I have heard from several sales guys, and their sales engineers that the Emerging Threats rulesets are terrible and how their in house developed rulesets do a better job of protecting you from malicious code and zero day attacks.  Now being a contributing community member of Emerging Threats this really hits me in the gut, so of course I begin to dive into these so called optimized and efficient rulesets and I bet you can guess what I find.  I find snort rules written with PCRE’s that contain no content anchor, Domain Name content matches, and in some cases reused Emerging Threat rules with a new message of course.  Now, this is not the case for all vendors or commercial products for which I have had the pleasure of evaluating or coming in to contact with, so don’t take this the wrong way.  I just hate hearing how terrible something is when in fact the Emerging Threats rulesets contain some of the best signatures for malicious code and zero day attacks available to the public.  Just a suggestion to any vendor, company, sales guy, and/or sales engineer in the business please stop spreading this non-sense, as it only discredits your professionalism and makes me question your knowledge in the area of IDS/IPS technology.  Ok, the rant has ended!

Matt’s successful leadership, persistence, and expert guidance over his vision at Emerging Threats has also lead to him starting another project that appears to be kicking off with a great start with the help of government sponsorship and funding “Open Information Security Foundation” (OISF).  According to the FAQ’s at OISF: “The OISF was formed primarily to begin the development of this new IDS/IPS engine, but will over time take on new projects and challenges. The OISF can be a home to any interested project in need of funding and long term support” (What is OISF?).  This project really appears to have the beginnings and community participation to reshape what we consider an IDS/IPS engine to be with numerous creative and innovative visions contributed by the community: “Proposed Features for the Engine and the OISF Wiki“.  I would recommend anyone reading this post with an interest in IDS/IPS technology to sign up and participate in this project, as they too just like Emerging Threats are always looking for help and/or feedback that will make the project better.

I would like to personally extend a “THANK YOU” out to Matt and the members of the Emerging Threats community.  Matt, if we are ever in the same place at the same time I owe you a beer!  Thanks again for the hard work, and I wish you and your projects nothing but success.