[Snort-sigs] recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc)

monitz mmonitz at ...2420...
Mon Apr 26 02:17:00 EDT 2010


i feel that these kind of changes should be listed as "disabled" and not as
"modified" in update publishing

thanks for the response alex

doe's anyone know how to address the issue on oinkmaster?




On Mon, Apr 26, 2010 at 5:47 AM, Alex Kirk <akirk at ...435...> wrote:

> The VRT has been conducting reviews of the default policies of late - both
> those included in the metadata fields and the implied policies of commented
> out vs. not commented out. There are a number of rules that, in their time,
> were very useful, but are no longer, due to their age - many of these rules,
> for example, were for vulnerabilities 5 or more years old. Given that
> running a tighter, more focused ruleset is likely to produce more useful
> alerts, and given that a number of users simply accept the VRT defaults
> without much further thought, we decided it was best to turn off some of our
> older rules, where the probability of a successful attack has become
> exceedingly low.
>
> Anyone who wants these rules, of course, is free to turn them right back
> on. That's the beauty of running your own IDS - you need not accept the
> VRT's judgments as your own if you don't want to.
>
> On Sun, Apr 25, 2010 at 3:53 AM, monitz <mmonitz at ...2420...> wrote:
>
>> hello
>> i have noticed that the recent VRT update (08 april i think) comments out
>> many sigs
>> i can not find an announcment or explenation for this.
>>
>> does anyone have any idea why this happens?
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...435...
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100426/9b7b5331/attachment.html>


More information about the Snort-sigs mailing list