[Snort-sigs] What do the commented-out rules mean?

Matt Olney molney at ...435...
Tue Dec 1 22:46:42 EST 2009


The VRT will certainly release rules in a default off state.  This is
especially true in cases where the detection is particularly
performance poor and the target is not widely deployed.  We also set
rules to default off if, in the opinion of the analyst, the amount of
potential false positives are very high, but the detection is still
needed for servers or clients in a particular (uncommon)
configuration.  Finally, we'll release rules in a default off state if
we feel that they are of use only to a limited segment of the user
base.

We know each network is different, and try to make decisions that work
on a broad set of networks, but each snort install needs to be tuned
in order to provide maximum value.

Hope that makes sense,

Matt

On Tue, Dec 1, 2009 at 9:48 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> Matt/Joel, I could be wrong but I seem to recall a few new signatures in
> the VRT release being commented-out by default, but listed in the change
> log as new additions.  Sadly, I cannot give you an exact release but I
> do distinctly recall this situation.  Was this intentional, and if so,
> would it be possible to get a designator in the change log to indicate
> it's disabled by default?  If unintentional, no harm, I just wasn't sure
> if this was common/expected or not and if VRT releases may include
> signatures that are disabled by default.
>
> Thanks
>
> -evilghost
>
> Matt Olney wrote:
>> Joel is right.
>>
>> We turn rules off for several reasons:
>>
>> Preprocessors render them irrelevant
>> Performance impact too high in relation to the threat
>> False positives too high in relation to the threat
>> The rule covers an obsolete vuln, and should only be used by people
>> trapped by old tech.
>>
>> Hope that helps,
>>
>> Matt
>>
>> Sent from my iPhone
>>
>> On Dec 1, 2009, at 8:29 PM, Joel Esler <jesler at ...435...> wrote:
>>
>>> On Tue, Dec 1, 2009 at 7:15 PM, 林闻捷 <wendyfermilin at ...2420...> wrote:
>>> Hi, all
>>>
>>> I analyze the web-activex rules in both 2.7 and 2.8 version. There
>>> are lots of rules commented out (more than half). So do many other
>>> files. What do commented-out rules mean? Are they bad rules, or as a
>>> backup for special usage? Thank you very much!
>>>
>>>
>>> It means they are off by default.  You can choose to turn them on, if
>>> they apply to your environment.
>>>
>>>
>>>
>>>
>>> --
>>> Joel Esler | 302-223-5974 | Gtalk: jesler at ...435...
>>> ------------------------------------------------------------------------------
>>>
>>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>>> a free event focused on virtualization and cloud computing.
>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list