Re: Enquiry Sourcefire VRT Rules Update

[Joel Esler <jesler () sourcefire com>]

Rules are disabled for a multitude of reasons.  Some being speed, age, possible false positive rate, or amount of 
alerts it will generate.

For instance some of the alerts you outline below are things like the "ping".  This would alert on a customer's network 
possibly millions of times a day, and therefore isn't very useful.

We recommend you begin with one of our default policies (connectivity, balanced, or security) and tune from there.  We 
recommend using PulledPork for this job.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jan 14, 2013, at 5:11 AM, Dennis Lau <dennis.lau () citictel-cpc com> wrote:

> Dear Snort developers,
>  
> I found that there is basket of rules being modified and disabled by VRT. I try to make a review on it, as I am 
> currently using SIEM to make some correlations. Below is the list that I summarized.
>  
> I would like to know why these specific rules would be disable by VRT? What is the reason behind?
> As some of them are common triggered by most sniffer,like  PROTOCOL-ICMP Echo Reply
> 1:408
> it was disabled by vrt update 
> and 1:1417.
>  
> Why would snort disable them? Is there any documentation that provide a complete explanation on the change? Will the 
> disable action affect the snort’s accuracy on vulnerability detection?
>  
> Name
> ID
> Reason
> NETBIOS SMB write_andx overflow attempt
> 3:10161
> it impacts to snort engine only
> OS-WINDOWS Microsoft Forefront UAG javascript handler in URI XSS attempt
> 1:20258
> it was disabled by vrt update
> FILE-OTHER Adobe multiple products dwmapi.dll dll-load exploit attempt
> 1:19618
> it was disabled by vrt update
> PROTOCOL-ICMP Destination Unreachable Port Unreachable
> 1:402
> it is commonly to be appeared in network
> BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt
> 3:15474
> customer is not using isa 2004
> BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt
> 1:11257
> it was disabled by vrt update
> INDICATOR-COMPROMISE 403 Forbidden
> 1:1201
> it was disabled by vrt update
> INDICATOR-SHELLCODE x86 inc ecx NOOP
> 1:1394
> it was disabled by vrt update
> INDICATOR-SHELLCODE x86 setgid 0
> 1:649
> it was disabled by vrt update
> OS-WINDOWS Microsoft Windows WebDAV search overflow attempt
> 1:11686
> it was disabled by vrt update
> POLICY-OTHER web server file upload attempt
> 1:5708
> it was disabled by vrt update
> PROTOCOL-ICMP Destination Unreachable Host Unreachable
> 1:399
> it was disabled by vrt update
> PROTOCOL-ICMP Echo Reply
> 1:408
> it was disabled by vrt update
> PROTOCOL-ICMP L3retriever Ping
> 1:466
> it was disabled by vrt update
> PROTOCOL-ICMP PING
> 1:384
> it was disabled by vrt update
> PROTOCOL-ICMP Time-To-Live Exceeded in Transit
> 1:449
> it was disabled by vrt update
> PROTOCOL-ICMP traceroute
> 1:385
> it was disabled by vrt update
> SERVER-IIS encoding access
> 1:1010
> it was disabled by vrt update
> SERVER-IIS view source via translate header
> 1:1042
> it was disabled by vrt update
> SERVER-IIS Unauthorized IP Access Attempt
> 1:1045
> it was disabled by vrt update
> SERVER-ORACLE database username buffer overflow
> 1:13719
> it was disabled by vrt update
> SERVER-WEBAPP /doc/ access
> 1:1560
> it was disabled by vrt update
> SERVER-WEBAPP backup access
> 1:1213
> it was disabled by vrt update
> SERVER-WEBAPP calendar access
> 1:882
> it was disabled by vrt update
> SERVER-WEBAPP chatbox.php access
> 1:2305
> it was disabled by vrt update
> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt
> 1:2381
> it was disabled by vrt update
> SERVER-WEBAPP Cisco /%% DOS attempt
> 1:1546
> it was disabled by vrt update
> SERVER-WEBAPP csh access
> 1:862
> it was disabled by vrt update
> WEB-FRONTPAGE /_vti_bin/ access
> 1:1288
> it was disabled by vrt update
>  
> I am looking forwards to hear your reply.
>
> Best regards, 
>
> Dennis Lau
>  
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122912_______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!