[Snort-sigs] recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc)

Joel Esler jesler at ...435...
Mon Apr 26 07:47:54 EDT 2010


It is my suggestion that you used pulledpork. It gives you the ability  
to use the default policy setups in the metadata.

--
Joel Esler
Sent from my iPhone

On Apr 26, 2010, at 2:17 AM, monitz <mmonitz at ...2420...> wrote:

> i feel that these kind of changes should be listed as "disabled" and  
> not as "modified" in update publishing
>
> thanks for the response alex
>
> doe's anyone know how to address the issue on oinkmaster?
>
>
>
>
> On Mon, Apr 26, 2010 at 5:47 AM, Alex Kirk <akirk at ...435...>  
> wrote:
> The VRT has been conducting reviews of the default policies of late  
> - both those included in the metadata fields and the implied  
> policies of commented out vs. not commented out. There are a number  
> of rules that, in their time, were very useful, but are no longer,  
> due to their age - many of these rules, for example, were for  
> vulnerabilities 5 or more years old. Given that running a tighter,  
> more focused ruleset is likely to produce more useful alerts, and  
> given that a number of users simply accept the VRT defaults without  
> much further thought, we decided it was best to turn off some of our  
> older rules, where the probability of a successful attack has become  
> exceedingly low.
>
> Anyone who wants these rules, of course, is free to turn them right  
> back on. That's the beauty of running your own IDS - you need not  
> accept the VRT's judgments as your own if you don't want to.
>
> On Sun, Apr 25, 2010 at 3:53 AM, monitz <mmonitz at ...2420...> wrote:
> hello
> i have noticed that the recent VRT update (08 april i think)  
> comments out many sigs
> i can not find an announcment or explenation for this.
>
> does anyone have any idea why this happens?
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
>
> -- 
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...435...
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100426/acd74366/attachment.html>


More information about the Snort-sigs mailing list