Snort mailing list archives
Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder
From: Mike Lococo <mikelococo () gmail com>
Date: Thu, 01 Dec 2011 19:26:20 -0500
On 12/01/2011 04:50 PM, L0rd Ch0de1m0rt wrote:
Simply put, the VRT ruleset is geared more toward exploits and ET is geared more toward malware...
In my experience as an incident responder who uses VRT and ET Open together, I agree with this summary (although it's obviously an oversimplification of two rulesets that each contain thousands of sigs). Almost all of the sigs that I trust to tell me when a workstation has been compromised by run-of-the-mill drive-by malware are from ET. I have a variety of methods to find new "trusted sigs" but the VRT stuff rarely bubbles to the top for day-to-day malware detection. Most of the sigs that I use to provide auditing and contextual activity that's not necessary malicious but that is well worth looking at in suspicious cases (exe downloads, java-versions, jar downloads, and lots of similar stuff) I found in VRT first and generally use their versions of. The new "file-types" file seems to be pushing that even further. Also, when I get a call from my bosses bosses boss about a new vulnerability they read about in the newspaper, VRT usually provides the sig that lets me say "we're actively monitoring the situation as it develops, and have network detection logic in place that detects the attack". Cheers, Mike Lococo ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder, (continued)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 01)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 01)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Jeff Kell (Dec 01)
- Re: [Emerging-Sigs] [Snort-users] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 01)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Nathan (Dec 02)
- Re: [Emerging-Sigs] [Snort-users] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-sigs] [Emerging-Sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 02)
- Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-Sigs] Re: [Emerging-Sigs] [Snort-sigs] Snort 2.8.6.1 EOL Reminder Matthew Jonkman (Dec 02)
- Re: [Emerging-Sigs] [Snort-Sigs] Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Joel Esler (Dec 02)
- Re: [Snort-sigs] Snort 2.8.6.1 EOL Reminder Mike Lococo (Dec 01)