[Snort-users] which ruleset to use?

Roeland Weve roeland at ...1415...
Tue Apr 3 08:11:18 EDT 2001


Hello everybody,

This subject is discussed over a couple times I thought. 
It's about the rules: which rules and rulesets to use.

Why are there 2 people making and updating different rulesets, 
and why aren't they just making 1 complete ruleset?
I am talking about the vision.rules and the snort *.rules.

Which one is better to use, which set is better reguraly updated?
Does anyone have an opinion about that subject?
I see all the vision.rules rules do have an whitehats-IDS reference
number, but not and cve or bugtraq number (the snort rules have), why is
that?

I think I have to make the choice, of which ruleset to use, my own. But
plz, can you give me some disadvantages and advantages so I can make a
list and have a look which set to use.
I still have to make a choice, but I can't choose ;-(

I have some Dis- and Advantages...
vision.rules:
D: all in 1 file (not categorized. Could be an advantage...)
A: every rule has an whitehats IDS reference number
A: updated every day

snort rules:
A: it's split up, so you can easily disable or enable rulesets
(categorized)
A: Also cve and bugtraq number
D: Not every rule has a reference number

Thnx for helping me,

Roeland




More information about the Snort-users mailing list