[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2013-10-15

Research research at ...435...
Tue Oct 15 13:53:32 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Sourcefire VRT Certified Snort Rules Update

Synopsis:
This release contains updated base policies and also adds and modifies
rules in several categories.

Details:
This SEU/SRU contains updated base policies for use in your Sourcefire
devices. 

To help customers understand these changes, we are taking this
opportunity to explain the process used by the VRT for deciding how
rules are assigned to each policy.

The main metric used is the CVSS score assigned to each vulnerability
that might be covered by a rule. For more information on CVSS please
visit http://www.first.org/cvss. The second criteria is temporal-based
and concerns the age of a particular vulnerability. The final criteria
is the particular area of coverage for the rule. So for example, SQL
Injection rules are considered to be important enough to have influence
when being considered for policy inclusion. Note that, the
vulnerabilities covered by the rules in these categories are considered
important regardless of age.

The considerations for each policy are described below.

Connectivity over Security Base Policy:

 1. CVSS Score must be 10
 2. Age of the vulnerability:
      Current year (2013 for example)
      Last year (2012 in this example)
      Year before last (2011 in this example)
 3. Rule Category
    Not used for this policy

Balanced Base Policy:

 1. CVSS Score 9 or greater
 2. Age of the vulnerability:
      Current year (2013 for example)
      Last year (2012 in this example)
      Year before last (2011 in this example)
 3. Rule Category
      Malware-Cnc
      Blacklist
      SQL Injection
      Exploit-kit

Security over Connectivity Base Policy:

 1. CVSS Score 8 or greater
 2. Age of the vulnerability:
      Current year (2013 for example)
      Last year (2012 in this example)
      Year before last (2011 in this example)
      Year prior (2010 in this example)
 3. Rule Category
      Malware-Cnc
      Blacklist
      SQL Injection
      Exploit-kit
      App-detect

All new rules are placed into the policies based on these criteria.
Every year during the third quarter of the year, the policies will be
re-assessed and rules from previous years, as the vulnerabilities age,
will be removed from the policy to keep the policy compliant with our
temporal selection criteria. Thus, in the third quarter of 2014, the
rules from 2011 will be removed from the ���Connectivity over
Security��� and ���Balanced��� policies while the rules from 2010 will
be removed from the ���Security over Connectivity��� policy. If rules
move between categories, their presence in policies will also be
decided based on the category selection process. Likewise, should the
CVSS score change for a particular vulnerability that is covered by a
rule, its presence in a policy based on the CVSS metric is also
re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis.

Policies that will be affected:

  Those policies that create or have created a policy based on one of
the Sourcefire base policies.
  Those policies that have not modified any of the rule states
manually.

The Sourcefire VRT has also added and modified multiple rules in the
blacklist, browser-chrome, browser-firefox, browser-ie, browser-other,
browser-plugins, browser-webkit, content-replace, exploit-kit,
file-executable, file-flash, file-identify, file-image, file-java,
file-multimedia, file-office, file-other, file-pdf,
indicator-compromise, indicator-obfuscation, indicator-scan,
indicator-shellcode, malware-cnc, netbios, os-linux, os-mobile,
os-other, os-solaris, os-windows, policy-other, policy-social,
policy-spam, protocol-dns, protocol-ftp, protocol-icmp, protocol-imap,
protocol-nntp, protocol-rpc, protocol-scada, protocol-services,
protocol-snmp, protocol-telnet, protocol-tftp, protocol-voip,
pua-adware, pua-other, pua-p2p, pua-toolbars, server-apache,
server-iis, server-mail, server-mssql, server-mysql, server-oracle,
server-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

For a complete list of new and modified rules please see:

http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2013-10-15.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFSXYEfQLjqI2QiHVMRApMkAJ9k3Qr04GEvm0oYds8p4pWf4NbIbQCfdf3B
ppdE0ZzoHhOB9XIDsE0OGzo=
=UXsb
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list