[Snort-users] [Snort-sigs] Some notes about today's VRT Rule release for 02/09/2012

Miso Patel miso.patel at ...11827...
Thu Feb 9 16:23:28 EST 2012

It it possible to have the "VRT" rule updates actually contain a synopsis
of what was updated so people don't have to wade thru multiple web pages
just to see them?


Miso, CISO

On Thu, Feb 9, 2012 at 2:58 PM, Joel Esler <jesler at ...1935...> wrote:

> *VRT Rule release for 02/09/2012*
> Join us as we welcome the introduction of the newest rule release for
> today<http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-02-09.html>from the VRT. In this release we introduced 10 new rules and made
> modifications to *4172* additional rules.
> There were no changes made to the snort.conf in this release.
> Today, we leveled the playing field between the various ways to get Snort
> rules. It has long been the case where Sourcefire products, by default,
> enabled rules in the balanced-ips policy.
> When you use PulledPork (http://code.google.com/p/pulledpork/), this is
> also the default behavior. But when you simply downloaded the rules from
> Snort.org, the rules were a hodge podge of rules that were enabled or
> disabled, denoted by whether or not the rule was commented out in the rules
> file.
> In an effort to make the barrier to entry that much easier, the Open
> Source rule package downloaded on snort.org now exactly mirrors what you
> would get if you used PulledPork. All rules in balanced-ips are enabled and
> all rules not in balanced-ips are disabled. The exception to this is that
> rules that set flowbits that are used by rules that are in balanced-ips are
> also enabled. This means that the default Open Source ruleset will now
> provide a good balance between speed, performance, and detection and all
> rules should work as expected.  Those using Oinkmaster, or simply
> downloading the ruleset directly, will now be running the "balanced-ips"
> policy.  A rule's "on/off" state is now dictated by policy.
> This change is in no way an indication that PulledPork is not the
> recommended way to manage your Open Source ruleset. PulledPork also tracks
> your own custom policy tailored to your environment and provides other
> benefits. If you want to use the security-ips policy, you may go through
> and enable these rules by default, or choose the easy way and use
> PulledPork to manage this for you. So, use PulledPork if you aren't already!
>  In VRT's rule release:
> Synopsis: This release adds and modifies rules in several categories.
> Details: The Sourcefire VRT has added and modified multiple rules in the
> attack-responses, backdoor, bad-traffic, blacklist, botnet-cnc, chat, dns,
> dos, exploit, file-identify, finger, icmp, icmp-info, imap, misc,
> multimedia, netbios, nntp, oracle, p2p, password, policy, pop3, rpc,
> rservices, scada, scan, shellcode, smtp, specific-threats, spyware-put,
> sql, username, voip, web-activex, web-cgi, web-client, web-iis, web-misc
> and x11 rule sets to provide coverage for emerging threats from these
> technologies.
> In order to subscribe now <http://www.snort.org/vrt/buy-a-subscription/>to the VRT's newest rule detection functionality, you can subscribe for as
> low as $29 US dollars a year for personal users, be sure and see our
> business pricing as well at http://www.snort.org/store. Make sure and
> stay up to date to catch the most emerging threats!
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120209/37796543/attachment.html>

More information about the Snort-users mailing list