Snort mailing list archives
Re: What do the commented-out rules mean?
From: Matt Olney <molney () sourcefire com>
Date: Tue, 1 Dec 2009 22:46:42 -0500
The VRT will certainly release rules in a default off state. This is especially true in cases where the detection is particularly performance poor and the target is not widely deployed. We also set rules to default off if, in the opinion of the analyst, the amount of potential false positives are very high, but the detection is still needed for servers or clients in a particular (uncommon) configuration. Finally, we'll release rules in a default off state if we feel that they are of use only to a limited segment of the user base. We know each network is different, and try to make decisions that work on a broad set of networks, but each snort install needs to be tuned in order to provide maximum value. Hope that makes sense, Matt On Tue, Dec 1, 2009 at 9:48 PM, evilghost () packetmail net <evilghost () packetmail net> wrote:
Matt/Joel, I could be wrong but I seem to recall a few new signatures in the VRT release being commented-out by default, but listed in the change log as new additions. Sadly, I cannot give you an exact release but I do distinctly recall this situation. Was this intentional, and if so, would it be possible to get a designator in the change log to indicate it's disabled by default? If unintentional, no harm, I just wasn't sure if this was common/expected or not and if VRT releases may include signatures that are disabled by default. Thanks -evilghost Matt Olney wrote:Joel is right. We turn rules off for several reasons: Preprocessors render them irrelevant Performance impact too high in relation to the threat False positives too high in relation to the threat The rule covers an obsolete vuln, and should only be used by people trapped by old tech. Hope that helps, Matt Sent from my iPhone On Dec 1, 2009, at 8:29 PM, Joel Esler <jesler () sourcefire com> wrote:On Tue, Dec 1, 2009 at 7:15 PM, 林闻捷 <wendyfermilin () gmail com> wrote: Hi, all I analyze the web-activex rules in both 2.7 and 2.8 version. There are lots of rules commented out (more than half). So do many other files. What do commented-out rules mean? Are they bad rules, or as a backup for special usage? Thank you very much! It means they are off by default. You can choose to turn them on, if they apply to your environment. -- Joel Esler | 302-223-5974 | Gtalk: jesler () sourcefire com ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------ ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev ------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- What do the commented-out rules mean? 林闻捷 (Dec 01)
- Re: What do the commented-out rules mean? Joel Esler (Dec 01)
- Re: What do the commented-out rules mean? Matt Olney (Dec 01)
- Re: What do the commented-out rules mean? evilghost () packetmail net (Dec 01)
- Re: What do the commented-out rules mean? Matt Olney (Dec 01)
- Re: What do the commented-out rules mean? evilghost () packetmail net (Dec 01)
- Re: What do the commented-out rules mean? Matt Olney (Dec 01)
- Re: What do the commented-out rules mean? Joel Esler (Dec 01)