[Snort-sigs] Security Ruleset - CVSS Level

Joel Esler (jesler) jesler at ...3865...
Mon Jan 11 15:42:05 EST 2016


Vaughn,

It appears we've isolated the issue.  It would be fixed shortly.  Thank you for bringing this to our attention.

--
Joel Esler
Manager, Talos Group
Sent from my iPhone

On Jan 9, 2016, at 8:40 PM, Joel Esler (jesler) <jesler at ...3865...<mailto:jesler at ...3865...>> wrote:

Vaughn,

Thanks for writing in.

So, there could be a couple things going on here, and I may have to get with the Meraki team to diagnose the problem.

First off, if we take a look at the ruleset:
https://www.snort.org/advisories/talos-rules-2016-01-07

You can see the "enabled"/"Disabled" state of the ruleset as shipped.  Now, that means "Balanced".  So if it's on in Balanced, it's on in security, as the more stringent rulesets also contain the lighter ruleset states, and sometimes make them "harsher".

That all being said, the Meraki device is a unique type of appliance.  You select the policy you want to run, and the system takes care of it for you.

So, there will be a couple things we'll have to diagnose here, and none of which you need to do.  I'll coordinate with the Meraki team to figure out what needs to be done.  Off the top of my head, it could be several things.

I'll follow up once I touch base with them.

Sent from my iPad

On Jan 9, 2016, at 8:34 PM, Vaughn A. Hart <vaughn at ...4126...<mailto:vaughn at ...4126...>> wrote:

Hi Folks,

I am confused about the security ruleset setting in Snort. I am using a third party vendor (Cisco Meraki) and it seems that they haven't released a Security/Snort ruleset update to their MX security appliances because there have been no matching snort signature releases that match the Security Ruleset CVSS criteria. This seems confusing to me as there have been Microsoft, Adobe and Apple snort signatures since the 4th of December 2015, that are a CVSS of 6 and higher. Or am I mistaken?

If anyone is running the Security Ruleset in Snort (standalone), have you gotten an update? and can someone explain this to me, because what I see from US-Cert and the Talos releases seems to indicate that there should be an update.

Thanks!

--

-V
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160111/e6edf7d3/attachment.html>


More information about the Snort-sigs mailing list