[Snort-users] Some notes about today's VRT Rule release for 02/09/2012

Joel Esler jesler at ...1935...
Thu Feb 9 15:58:08 EST 2012

*VRT Rule release for 02/09/2012*

Join us as we welcome the introduction of the newest rule release for
the VRT. In this release we introduced 10 new rules and made
modifications to *4172* additional rules.

There were no changes made to the snort.conf in this release.

Today, we leveled the playing field between the various ways to get Snort
rules. It has long been the case where Sourcefire products, by default,
enabled rules in the balanced-ips policy.

When you use PulledPork (http://code.google.com/p/pulledpork/), this is
also the default behavior. But when you simply downloaded the rules from
Snort.org, the rules were a hodge podge of rules that were enabled or
disabled, denoted by whether or not the rule was commented out in the rules

In an effort to make the barrier to entry that much easier, the Open Source
rule package downloaded on snort.org now exactly mirrors what you would get
if you used PulledPork. All rules in balanced-ips are enabled and all rules
not in balanced-ips are disabled. The exception to this is that rules that
set flowbits that are used by rules that are in balanced-ips are also
enabled. This means that the default Open Source ruleset will now provide a
good balance between speed, performance, and detection and all rules should
work as expected.  Those using Oinkmaster, or simply downloading the
ruleset directly, will now be running the "balanced-ips" policy.  A rule's
"on/off" state is now dictated by policy.

This change is in no way an indication that PulledPork is not the
recommended way to manage your Open Source ruleset. PulledPork also tracks
your own custom policy tailored to your environment and provides other
benefits. If you want to use the security-ips policy, you may go through
and enable these rules by default, or choose the easy way and use
PulledPork to manage this for you. So, use PulledPork if you aren't already!

 In VRT's rule release:

Synopsis: This release adds and modifies rules in several categories.

Details: The Sourcefire VRT has added and modified multiple rules in the
attack-responses, backdoor, bad-traffic, blacklist, botnet-cnc, chat, dns,
dos, exploit, file-identify, finger, icmp, icmp-info, imap, misc,
multimedia, netbios, nntp, oracle, p2p, password, policy, pop3, rpc,
rservices, scada, scan, shellcode, smtp, specific-threats, spyware-put,
sql, username, voip, web-activex, web-cgi, web-client, web-iis, web-misc
and x11 rule sets to provide coverage for emerging threats from these

In order to subscribe now <http://www.snort.org/vrt/buy-a-subscription/> to
the VRT's newest rule detection functionality, you can subscribe for as low
as $29 US dollars a year for personal users, be sure and see our business
pricing as well at http://www.snort.org/store. Make sure and stay up to
date to catch the most emerging threats!

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120209/08c42c73/attachment.html>

More information about the Snort-users mailing list