[Snort-sigs] CVE-2012-5076 and CVE-2012-1723 Rules

Joel Esler jesler at ...435...
Mon Nov 26 18:29:32 EST 2012


On Nov 26, 2012, at 2:14 PM, Y M <snort at ...3751...> wrote:

> Miso,
>  
> I use both, VRT and ET in my production systems. Pesonally, they both complement each other for greater coverability. But this comes at the cost of managing the rules, responding to alerts; while eliminating alerts of the same threat being fired by two different rulesets, in a timely fashion. Although this is doable, but it takes a lot of time, tracking and engineering of the rulesets.


To be clear.  We don't enable all the rules out of the box because we believe you should tune any ruleset to your network.  Plus we have over 15k rules in the VRT set.  Performance would not be good if we turned them all on.  


> <snip to avoid any perception of flame war>

>  For almost a month, I have been watching how and when both teams update their rules. Release dates of updated rules by both teams happen at almost identical dates, give or take two or three days for both. This is not the case when using the Registered ruleset of the VRT team as it is almost a month behind the Subscriber ruleset, which is currently being discussed by Joel and Nathan in previous emails.

Wait..

The Registered ruleset is the same exact ruleset as the Subscriber set, for free.  This is the complete ruleset, not a subset of a ruleset.  It's just 30 days behind the subscriber download.

What Nathan and I are referring to is a third download option.  The Community ruleset will be a separate package for Registered users (subscribers will have to do nothing) to get up to date community submitted rules + some others.  This will allow people to submit rules to the VRT ruleset, where the rules will remain under an open license without the restrictions on reuse and access that the VRT license states.

>  My approach to this is completely different. The selection of which rules (.rules) to include is largely dependant on the environment and systems you run, network traffic, where your sensors are placed in the network, which rules can cover more of a particular threat, and your response methodology. I try to utilize the best of both worlds and this is an on-going process that require close attention as much as possible given that resources permit.

Which is what we recommend.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121126/a82c4726/attachment.html>


More information about the Snort-sigs mailing list