[Snort-users] [Snort-sigs] Some notes about today's VRT Rule release for 02/09/2012

Joel Esler jesler at ...1935...
Thu Feb 9 17:20:54 EST 2012

The changes for each release are posted here:


All you have to do, technically, is change the date, this the page that I
link from the blog entires.

All the changelogs are found here: http://www.snort.org/vrt

I don't think we need to publish a further detail of the update within the
rule package itself.


On Thu, Feb 9, 2012 at 4:23 PM, Miso Patel <miso.patel at ...11827...> wrote:

> It it possible to have the "VRT" rule updates actually contain a synopsis
> of what was updated so people don't have to wade thru multiple web pages
> just to see them?
> Thanks!1
> Miso, CISO
> On Thu, Feb 9, 2012 at 2:58 PM, Joel Esler <jesler at ...1935...> wrote:
>> *VRT Rule release for 02/09/2012*
>> Join us as we welcome the introduction of the newest rule release for
>> today<http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-02-09.html>from the VRT. In this release we introduced 10 new rules and made
>> modifications to *4172* additional rules.
>> There were no changes made to the snort.conf in this release.
>> Today, we leveled the playing field between the various ways to get Snort
>> rules. It has long been the case where Sourcefire products, by default,
>> enabled rules in the balanced-ips policy.
>> When you use PulledPork (http://code.google.com/p/pulledpork/), this is
>> also the default behavior. But when you simply downloaded the rules from
>> Snort.org, the rules were a hodge podge of rules that were enabled or
>> disabled, denoted by whether or not the rule was commented out in the rules
>> file.
>> In an effort to make the barrier to entry that much easier, the Open
>> Source rule package downloaded on snort.org now exactly mirrors what you
>> would get if you used PulledPork. All rules in balanced-ips are enabled and
>> all rules not in balanced-ips are disabled. The exception to this is that
>> rules that set flowbits that are used by rules that are in balanced-ips are
>> also enabled. This means that the default Open Source ruleset will now
>> provide a good balance between speed, performance, and detection and all
>> rules should work as expected.  Those using Oinkmaster, or simply
>> downloading the ruleset directly, will now be running the "balanced-ips"
>> policy.  A rule's "on/off" state is now dictated by policy.
>> This change is in no way an indication that PulledPork is not the
>> recommended way to manage your Open Source ruleset. PulledPork also tracks
>> your own custom policy tailored to your environment and provides other
>> benefits. If you want to use the security-ips policy, you may go through
>> and enable these rules by default, or choose the easy way and use
>> PulledPork to manage this for you. So, use PulledPork if you aren't already!
>>  In VRT's rule release:
>> Synopsis: This release adds and modifies rules in several categories.
>> Details: The Sourcefire VRT has added and modified multiple rules in the
>> attack-responses, backdoor, bad-traffic, blacklist, botnet-cnc, chat, dns,
>> dos, exploit, file-identify, finger, icmp, icmp-info, imap, misc,
>> multimedia, netbios, nntp, oracle, p2p, password, policy, pop3, rpc,
>> rservices, scada, scan, shellcode, smtp, specific-threats, spyware-put,
>> sql, username, voip, web-activex, web-cgi, web-client, web-iis, web-misc
>> and x11 rule sets to provide coverage for emerging threats from these
>> technologies.
>> In order to subscribe now <http://www.snort.org/vrt/buy-a-subscription/>to the VRT's newest rule detection functionality, you can subscribe for as
>> low as $29 US dollars a year for personal users, be sure and see our
>> business pricing as well at http://www.snort.org/store. Make sure and
>> stay up to date to catch the most emerging threats!
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>> ------------------------------------------------------------------------------
>> Virtualization & Cloud Management Using Capacity Planning
>> Cloud computing makes use of virtualization - but cloud computing
>> also focuses on allowing computing to be delivered as a service.
>> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> Please visit http://blog.snort.org for the latest news about Snort!

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120209/faac25ab/attachment.html>

More information about the Snort-users mailing list