[Snort-users] [Snort-sigs] Some notes about today's VRT Rule release for 02/09/2012

Miso Patel miso.patel at ...11827...
Thu Feb 9 17:40:48 EST 2012


Thank you Joel.  Actually I was hoping to have the information in the email
itself.  Sorry to not be clear on that.

I figure if I already get an email then I don't need to go to a web page.
Although but apparently I do.  What ends up happening is I have to go
digging thru multiple web pages since after the first web page, I has to
access more URIs since the details on what was updated is not there either
on the first page.  SO you have email -> web page -> (repeat the web page
step as long as you can take it and maybe get lucky) -> real info.

If you want to do email alerts, put the info there.  Non one wants to slug
thru many web pages or blogs or twitters or whatever you kids do these days
... it will make you blind.

THANKS.

Miso, CISO

VmlqYXksIGlmIEpvZWwncyByZXNwb25zZSBpcyBsZXNzIHRoYW4gMyBzZW50YW5jZXMsIHlvdSBvd24gbWUgbHVuY2ggYW5kIGEgZGF0YSB3aXRoIHlvdXIgc2lzdGVyIEJpbnN3YWxhLg==

On Thu, Feb 9, 2012 at 4:20 PM, Joel Esler <jesler at ...1935...> wrote:

> The changes for each release are posted here:
>
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-02-09.html
>
> All you have to do, technically, is change the date, this the page that I
> link from the blog entires.
>
> All the changelogs are found here: http://www.snort.org/vrt
>
> I don't think we need to publish a further detail of the update within the
> rule package itself.
>
> J
>
>
> On Thu, Feb 9, 2012 at 4:23 PM, Miso Patel <miso.patel at ...11827...> wrote:
>
>> It it possible to have the "VRT" rule updates actually contain a synopsis
>> of what was updated so people don't have to wade thru multiple web pages
>> just to see them?
>>
>> Thanks!1
>>
>> Miso, CISO
>>
>> On Thu, Feb 9, 2012 at 2:58 PM, Joel Esler <jesler at ...1935...> wrote:
>>
>>>  *VRT Rule release for 02/09/2012*
>>>
>>> Join us as we welcome the introduction of the newest rule release for
>>> today<http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-02-09.html>from the VRT. In this release we introduced 10 new rules and made
>>> modifications to *4172* additional rules.
>>>
>>> There were no changes made to the snort.conf in this release.
>>>
>>> Today, we leveled the playing field between the various ways to get
>>> Snort rules. It has long been the case where Sourcefire products, by
>>> default, enabled rules in the balanced-ips policy.
>>>
>>> When you use PulledPork (http://code.google.com/p/pulledpork/), this is
>>> also the default behavior. But when you simply downloaded the rules from
>>> Snort.org, the rules were a hodge podge of rules that were enabled or
>>> disabled, denoted by whether or not the rule was commented out in the rules
>>> file.
>>>
>>> In an effort to make the barrier to entry that much easier, the Open
>>> Source rule package downloaded on snort.org now exactly mirrors what
>>> you would get if you used PulledPork. All rules in balanced-ips are enabled
>>> and all rules not in balanced-ips are disabled. The exception to this is
>>> that rules that set flowbits that are used by rules that are in
>>> balanced-ips are also enabled. This means that the default Open Source
>>> ruleset will now provide a good balance between speed, performance, and
>>> detection and all rules should work as expected.  Those using Oinkmaster,
>>> or simply downloading the ruleset directly, will now be running the
>>> "balanced-ips" policy.  A rule's "on/off" state is now dictated by policy.
>>>
>>> This change is in no way an indication that PulledPork is not the
>>> recommended way to manage your Open Source ruleset. PulledPork also tracks
>>> your own custom policy tailored to your environment and provides other
>>> benefits. If you want to use the security-ips policy, you may go through
>>> and enable these rules by default, or choose the easy way and use
>>> PulledPork to manage this for you. So, use PulledPork if you aren't already!
>>>
>>>  In VRT's rule release:
>>>
>>> Synopsis: This release adds and modifies rules in several categories.
>>>
>>> Details: The Sourcefire VRT has added and modified multiple rules in the
>>> attack-responses, backdoor, bad-traffic, blacklist, botnet-cnc, chat, dns,
>>> dos, exploit, file-identify, finger, icmp, icmp-info, imap, misc,
>>> multimedia, netbios, nntp, oracle, p2p, password, policy, pop3, rpc,
>>> rservices, scada, scan, shellcode, smtp, specific-threats, spyware-put,
>>> sql, username, voip, web-activex, web-cgi, web-client, web-iis, web-misc
>>> and x11 rule sets to provide coverage for emerging threats from these
>>> technologies.
>>>
>>> In order to subscribe now <http://www.snort.org/vrt/buy-a-subscription/>to the VRT's newest rule detection functionality, you can subscribe for as
>>> low as $29 US dollars a year for personal users, be sure and see our
>>> business pricing as well at http://www.snort.org/store. Make sure and
>>> stay up to date to catch the most emerging threats!
>>>
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Virtualization & Cloud Management Using Capacity Planning
>>> Cloud computing makes use of virtualization - but cloud computing
>>> also focuses on allowing computing to be delivered as a service.
>>> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>> http://www.snort.org
>>>
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120209/c2b0a6f4/attachment.html>


More information about the Snort-users mailing list