Re: CVE-2012-5076 and CVE-2012-1723 Rules

[Joel Esler <jesler () sourcefire com>]

On Nov 26, 2012, at 2:14 PM, Y M <snort () outlook com> wrote:

> Miso,
>  
> I use both, VRT and ET in my production systems. Pesonally, they both complement each other for greater coverability. 
> But this comes at the cost of managing the rules, responding to alerts; while eliminating alerts of the same threat 
> being fired by two different rulesets, in a timely fashion. Although this is doable, but it takes a lot of time, 
> tracking and engineering of the rulesets.


To be clear.  We don't enable all the rules out of the box because we believe you should tune any ruleset to your 
network.  Plus we have over 15k rules in the VRT set.  Performance would not be good if we turned them all on.  


> <snip to avoid any perception of flame war>

>  For almost a month, I have been watching how and when both teams update their rules. Release dates of updated rules 
> by both teams happen at almost identical dates, give or take two or three days for both. This is not the case when 
> using the Registered ruleset of the VRT team as it is almost a month behind the Subscriber ruleset, which is 
> currently being discussed by Joel and Nathan in previous emails.

Wait..

The Registered ruleset is the same exact ruleset as the Subscriber set, for free.  This is the complete ruleset, not a 
subset of a ruleset.  It's just 30 days behind the subscriber download.

What Nathan and I are referring to is a third download option.  The Community ruleset will be a separate package for 
Registered users (subscribers will have to do nothing) to get up to date community submitted rules + some others.  This 
will allow people to submit rules to the VRT ruleset, where the rules will remain under an open license without the 
restrictions on reuse and access that the VRT license states.

>  My approach to this is completely different. The selection of which rules (.rules) to include is largely dependant 
> on the environment and systems you run, network traffic, where your sensors are placed in the network, which rules 
> can cover more of a particular threat, and your response methodology. I try to utilize the best of both worlds and 
> this is an on-going process that require close attention as much as possible given that resources permit.

Which is what we recommend.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!