[Snort-sigs] What do the commented-out rules mean?

evilghost at ...3397... evilghost at ...3397...
Tue Dec 1 22:59:07 EST 2009


It does, thanks Matt.  I also agree with a default-off for the reasons 
you've stated.  As a feature request a special designator for 
default-off would be nice in the change log, if not really feasible I 
will cobble together some BASH scripting on my end to accommodate this need.

-evilghost

Matt Olney wrote:
> The VRT will certainly release rules in a default off state.  This is
> especially true in cases where the detection is particularly
> performance poor and the target is not widely deployed.  We also set
> rules to default off if, in the opinion of the analyst, the amount of
> potential false positives are very high, but the detection is still
> needed for servers or clients in a particular (uncommon)
> configuration.  Finally, we'll release rules in a default off state if
> we feel that they are of use only to a limited segment of the user
> base.
>
> We know each network is different, and try to make decisions that work
> on a broad set of networks, but each snort install needs to be tuned
> in order to provide maximum value.
>
> Hope that makes sense,
>
> Matt
>
> On Tue, Dec 1, 2009 at 9:48 PM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
>   
>> Matt/Joel, I could be wrong but I seem to recall a few new signatures in
>> the VRT release being commented-out by default, but listed in the change
>> log as new additions.  Sadly, I cannot give you an exact release but I
>> do distinctly recall this situation.  Was this intentional, and if so,
>> would it be possible to get a designator in the change log to indicate
>> it's disabled by default?  If unintentional, no harm, I just wasn't sure
>> if this was common/expected or not and if VRT releases may include
>> signatures that are disabled by default.
>>
>> Thanks
>>
>> -evilghost
>>
>> Matt Olney wrote:
>>     
>>> Joel is right.
>>>
>>> We turn rules off for several reasons:
>>>
>>> Preprocessors render them irrelevant
>>> Performance impact too high in relation to the threat
>>> False positives too high in relation to the threat
>>> The rule covers an obsolete vuln, and should only be used by people
>>> trapped by old tech.
>>>
>>> Hope that helps,
>>>
>>> Matt
>>>
>>> Sent from my iPhone
>>>
>>> On Dec 1, 2009, at 8:29 PM, Joel Esler <jesler at ...435...> wrote:
>>>
>>>       
>>>> On Tue, Dec 1, 2009 at 7:15 PM, 林闻捷 <wendyfermilin at ...2420...> wrote:
>>>> Hi, all
>>>>
>>>> I analyze the web-activex rules in both 2.7 and 2.8 version. There
>>>> are lots of rules commented out (more than half). So do many other
>>>> files. What do commented-out rules mean? Are they bad rules, or as a
>>>> backup for special usage? Thank you very much!
>>>>
>>>>
>>>> It means they are off by default.  You can choose to turn them on, if
>>>> they apply to your environment.
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Joel Esler | 302-223-5974 | Gtalk: jesler at ...435...
>>>> ------------------------------------------------------------------------------
>>>>
>>>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>>>> a free event focused on virtualization and cloud computing.
>>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>         
>>> ------------------------------------------------------------------------
>>>
>>> ------------------------------------------------------------------------------
>>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>>> a free event focused on virtualization and cloud computing.
>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>       
>> ------------------------------------------------------------------------------
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>     





More information about the Snort-sigs mailing list