[Snort-users] [Snort-sigs] Snort 220.127.116.11 EOL Reminder
mikelococo at ...11827...
Thu Dec 1 19:26:20 EST 2011
On 12/01/2011 04:50 PM, L0rd Ch0de1m0rt wrote:
> Simply put, the VRT ruleset is geared more toward exploits and ET is
> geared more toward malware...
In my experience as an incident responder who uses VRT and ET Open
together, I agree with this summary (although it's obviously an
oversimplification of two rulesets that each contain thousands of sigs).
Almost all of the sigs that I trust to tell me when a workstation has
been compromised by run-of-the-mill drive-by malware are from ET. I
have a variety of methods to find new "trusted sigs" but the VRT stuff
rarely bubbles to the top for day-to-day malware detection.
Most of the sigs that I use to provide auditing and contextual activity
that's not necessary malicious but that is well worth looking at in
suspicious cases (exe downloads, java-versions, jar downloads, and lots
of similar stuff) I found in VRT first and generally use their versions
of. The new "file-types" file seems to be pushing that even further.
Also, when I get a call from my bosses bosses boss about a new
vulnerability they read about in the newspaper, VRT usually provides the
sig that lets me say "we're actively monitoring the situation as it
develops, and have network detection logic in place that detects the
More information about the Snort-users