[Snort-sigs] Rule Set Completness

Matt Jonkman matt at ...2436...
Tue May 9 08:37:03 EDT 2006


> Gentoo-Wally and Erik Fichtner wrote:
> 
>> 1. Is the VRT set suppose to be a "complete" (for the lack of a better
>> word. Maybe adequate would be better?) rule set capable of independent
>> deployment. "Complete" meaning including rules for most known
>> vulnerabilities/attacks or...
> 
> No.  Of the fuzzy "sorta" variety of no.   It's complete in the sense that
> if it doesn't detect something and you're a paying customer of sourcefire,
> you can complain and alter that situation.

Well put. The BS signatures are an addition to the core sets from SF and
VRT. But I'd say they aren't an optional thing. There are some very
important sigs in the BS sets.

There are also some rather experimental and possibly dangerous and high
load sigs.

You SHOULD run the VRT or GPL snort set, Bleeding Snort, and the
Community set. But you should NEVER run any of those sets in their
entirety on any sensor without review. You need to look through them all
and make decisions. (Yes... ALL of them)

That is time consuming, and will give you a good migraine if you try to
do too many at once. But it's a necessary step to any IDS setup. You
MUST understand what you're watching for, and what you're not watching
for. Otherwise the data you get is meaningless if you are assuming the
absence of certain alerts means they aren't happening. When in fact you
aren't running the rules you think you are, or they don't do what you
assumed they did.

Once you get through the initial load, you just need to review the
changes, which come in emails to the snort-sigs and bleeding-sigs lists
(http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs).

You should look at each sig before pushing it. Not necessarily that you
need to be able to understand and second guess the sigs writer. But that
you understand the sig's intention and use. Some are internal only,
external only, high risk nets, PHI/HIPAA nets, classified
environments... etc.

> 
>> 2. Would a "complete" or "more complete" set include the combination
>> of VRT+Community+BleedingEdge Snort. If so...
> 
> Yes.
> 

DEFINITELY!!!

>> 3. Would the combination of VRT+Community+BleedingEdge result in a lot
>> of duplicate signatures?
> 
> Of course it would.  Yes.
> 
> see also: OSSRC Rules Overlap Committee.
> 

There are some dupes now. We are trying to work them out with the SF
folks via the overlap committee. It's slow at the moment. That committee
is just getting it's legs, and has a lot of work ahead of it. But have
faith, I know they'll get into motion soon!

The number of dupes is not significant. You aren't going to be putting
significant load on a sensor unnecessarily. Some, yes, but not a lot if
you do a good review of sigs before you make the initial load.

Matt



--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------







More information about the Snort-sigs mailing list