[Snort-sigs] Rule Set Completness

Jason Brvenik jasonb at ...435...
Mon May 8 14:17:02 EDT 2006


Erik Fichtner wrote:
> Gentoo-Wally wrote:
> 
> 
>>1. Is the VRT set suppose to be a "complete" (for the lack of a better
>>word. Maybe adequate would be better?) rule set capable of independent
>>deployment. "Complete" meaning including rules for most known
>>vulnerabilities/attacks or...
> 
> 
> No.  Of the fuzzy "sorta" variety of no.   It's complete in the sense that
> if it doesn't detect something and you're a paying customer of sourcefire,
> you can complain and alter that situation.

The rules set is complete in that it detects the things an intrusion
system is typically concerned about. It is not in the sense that it
detects everything you may be concerned about.

The nature of Snort is such that people tend to abuse its capabilities
for things that are not really related to intrusions. A perfect example
is AV or policy violations...

If you want high quality, tested rules backed by dedicated researchers,
QA labs, and a full production test suite (Over 16 million units) for
each release then the VRT set is the only way to go.

> 
> 
>>2. Would a "complete" or "more complete" set include the combination
>>of VRT+Community+BleedingEdge Snort. If so...
> 
> 
> Yes.

Not at all. It would be a hodge podge of things that will confuse the
general analyst and lead to a false sense of security. ( there is far
more to that opinion than can be relayed here) The rules in the various
sets out there should be combed for issues that you are concerned about
and can personally validate.

> 
> 
>>3. Would the combination of VRT+Community+BleedingEdge result in a lot
>>of duplicate signatures?
> 
> 
> Of course it would.  Yes.
> 
> see also: OSSRC Rules Overlap Committee.
> 
> 
> 




More information about the Snort-sigs mailing list