Snort mailing list archives

Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder

From: Mike Lococo <mikelococo () gmail com>
Date: Thu, 01 Dec 2011 19:26:20 -0500

On 12/01/2011 04:50 PM, L0rd Ch0de1m0rt wrote:

Simply put, the VRT ruleset is geared more toward exploits and ET is
geared more toward malware...


In my experience as an incident responder who uses VRT and ET Open 
together, I agree with this summary (although it's obviously an 
oversimplification of two rulesets that each contain thousands of sigs).

Almost all of the sigs that I trust to tell me when a workstation has 
been compromised by run-of-the-mill drive-by malware are from ET.  I 
have a variety of methods to find new "trusted sigs" but the VRT stuff 
rarely bubbles to the top for day-to-day malware detection.

Most of the sigs that I use to provide auditing and contextual activity 
that's not necessary malicious but that is well worth looking at in 
suspicious cases (exe downloads, java-versions, jar downloads, and lots 
of similar stuff) I found in VRT first and generally use their versions 
of.  The new "file-types" file seems to be pushing that even further. 
Also, when I get a call from my bosses bosses boss about a new 
vulnerability they read about in the newspaper, VRT usually provides the 
sig that lets me say "we're actively monitoring the situation as it 
develops, and have network detection logic in place that detects the 
attack".

Cheers,
Mike Lococo

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder, (continued)
- - - Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 01)
    - Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 01)
    - Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Jeff Kell (Dec 01)
    - Re: [Emerging-Sigs] [Snort-users] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 01)
    - Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Nathan (Dec 02)
    - Re: [Emerging-Sigs] [Snort-users] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
    - Re: [Snort-sigs] [Emerging-Sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 02)
    - Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
    - Re: [Snort-Sigs] Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 02)
    - Re: [Emerging-Sigs] [Snort-Sigs] Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
    - Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Mike Lococo (Dec 01)