Snort mailing list archives
Re: CVE-2012-5076 and CVE-2012-1723 Rules
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 26 Nov 2012 18:29:32 -0500
On Nov 26, 2012, at 2:14 PM, Y M <snort () outlook com> wrote:
Miso, I use both, VRT and ET in my production systems. Pesonally, they both complement each other for greater coverability. But this comes at the cost of managing the rules, responding to alerts; while eliminating alerts of the same threat being fired by two different rulesets, in a timely fashion. Although this is doable, but it takes a lot of time, tracking and engineering of the rulesets.
To be clear. We don't enable all the rules out of the box because we believe you should tune any ruleset to your network. Plus we have over 15k rules in the VRT set. Performance would not be good if we turned them all on.
<snip to avoid any perception of flame war>
For almost a month, I have been watching how and when both teams update their rules. Release dates of updated rules by both teams happen at almost identical dates, give or take two or three days for both. This is not the case when using the Registered ruleset of the VRT team as it is almost a month behind the Subscriber ruleset, which is currently being discussed by Joel and Nathan in previous emails.
Wait.. The Registered ruleset is the same exact ruleset as the Subscriber set, for free. This is the complete ruleset, not a subset of a ruleset. It's just 30 days behind the subscriber download. What Nathan and I are referring to is a third download option. The Community ruleset will be a separate package for Registered users (subscribers will have to do nothing) to get up to date community submitted rules + some others. This will allow people to submit rules to the VRT ruleset, where the rules will remain under an open license without the restrictions on reuse and access that the VRT license states.
My approach to this is completely different. The selection of which rules (.rules) to include is largely dependant on the environment and systems you run, network traffic, where your sensors are placed in the network, which rules can cover more of a particular threat, and your response methodology. I try to utilize the best of both worlds and this is an on-going process that require close attention as much as possible given that resources permit.
Which is what we recommend. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: CVE-2012-5076 and CVE-2012-1723 Rules, (continued)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 25)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Will Metcalf (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 25)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Y M (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Miso Patel (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Y M (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)