[Snort-devel] "deleted.rules" some problems.

Erek Adams erek at ...835...
Mon Mar 17 05:35:46 EST 2003


On Sun, 16 Mar 2003, John D. wrote:

> I know that in normal circumstances, one would not want to use the Snort
> rules in the "deleted.rules" file, but there are two rules I want to
> bring to the attention of the Snort development community.
>
> In particular:  [1:113:4] BACKDOOR DeepThroat access causes Snort to
> Crash.  Do we really need this rule to be in there?
>
> A number of my clients pointed this out, and I setup their system to
> frequently download the latest rules, and sometimes they like to include
> this one, dispite repeated warnings not to use it.  There is also one
> other rule in there that triggers on EVERY packet.
>
> [1:1620:3] BAD TRAFFIC Non-Standard IP protocol
>
> Has anyone bothered to verify my claim, and what is the normal procedure
> for reporting these kinds of problems...

<coffeeless rant mode>

To make a long story short, deleted.rules is there for one reason.
Historical purposes.  It's not meant to be used in a production setup,
which is why it's in "deleted.rules".

If your clients want 'all the rules on' to protect against 'all the
attacks'....  Part of me feels rather sorry for you.  If the developers
of Snort would have thought it 'good' to turn on all rules, then there
wouldn't be any commented out or any deleted.rule, now would there?  Those
rules are removed or commented out for a _reason_.

The bug?  Your clients are enabling rules that shouldn't be enabled in a
production setup.  _Maybe_ you would turn those on in a testlab for
testing purposes, but that's _it_.  A well tuned ruleset of about 300-400,
maybe less, sigs is all you really need in a production setup.  You take
the time to learn the network, turn on specific rule, add rules to detect
odd traffic, etc...  It's called rule tuning.  Depending on the network,
it takes about a week.  If you don't do it...  They are going to get so
many false alarms that they don't even look at the IDS reports anymore.
If that happens, why even bother to have an IDS?

</coffeeless rant>

Either tell them "No, you don't use those rules, they are for historical
purposes only."  Or get some clients who will listen to you.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-devel mailing list