[Snort-users] [Snort-sigs] Snort EOL Reminder

Mike Lococo mikelococo at ...11827...
Thu Dec 1 19:26:20 EST 2011

On 12/01/2011 04:50 PM, L0rd Ch0de1m0rt wrote:
> Simply put, the VRT ruleset is geared more toward exploits and ET is
> geared more toward malware...

In my experience as an incident responder who uses VRT and ET Open 
together, I agree with this summary (although it's obviously an 
oversimplification of two rulesets that each contain thousands of sigs).

Almost all of the sigs that I trust to tell me when a workstation has 
been compromised by run-of-the-mill drive-by malware are from ET.  I 
have a variety of methods to find new "trusted sigs" but the VRT stuff 
rarely bubbles to the top for day-to-day malware detection.

Most of the sigs that I use to provide auditing and contextual activity 
that's not necessary malicious but that is well worth looking at in 
suspicious cases (exe downloads, java-versions, jar downloads, and lots 
of similar stuff) I found in VRT first and generally use their versions 
of.  The new "file-types" file seems to be pushing that even further. 
Also, when I get a call from my bosses bosses boss about a new 
vulnerability they read about in the newspaper, VRT usually provides the 
sig that lets me say "we're actively monitoring the situation as it 
develops, and have network detection logic in place that detects the 

Mike Lococo

More information about the Snort-users mailing list