Snort mailing list archives
Re: Zero day attack protection
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 28 Oct 2013 09:18:28 -0400
Correct. The VRT, when creating detection for various things throughout the weeks run across a vulnerability we already cover with an existing rule, quite often. We call this prior coverage and if the attack vector does not require us to write a new rule for the vulnerability or threat, we'll simply update the reference on an older rule. Sent from my iPhone
On Oct 28, 2013, at 5:25, Saint Crusty <saintcrusty () gmail com> wrote: Snort signatures have repeatedly stopped a zero-day because they were well researched. Meaning the signature was able to block a variation or a progression of an allready covered attack. I believe this is what is called virtual patching. This does not mean snort has zero-day protection out-of-the-box. That would require some futuristic piece of software to achieve ;-) Since you'de have to compensate for every possible attack vector. Protecting again buffer overflow, injection attacks, xss and others is probably the only thing that can be done for now. To some extent.On 28/10/13 06:10, Anshuman Anil Deshmukh wrote: Hi, Can I get some past references or examples where snort was able to protect from zero day (0 day) attacks, may be with open signatures or using subscriber/registered set of signatures? Thanks and Regards, Anshuman "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- -- Saint Crusty ( a handle like any other, not a name ) <saint_crusty.vcf> ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Zero day attack protection Anshuman Anil Deshmukh (Oct 27)
- Re: Zero day attack protection Saint Crusty (Oct 28)
- Re: Zero day attack protection Joel Esler (Oct 28)
- Re: Zero day attack protection Saint Crusty (Oct 29)
- Re: Zero day attack protection Joel Esler (Oct 29)
- Re: Zero day attack protection Kevin Ross (Oct 29)
- <Possible follow-ups>
- Re: Zero day attack protection sockstat (Oct 28)
- Re: Zero day attack protection Saint Crusty (Oct 28)