Snort mailing list archives
Re: Bleeding Snort rules and Sourcefire Official rules
From: Eric Hines <eric.hines () appliedwatch com>
Date: Tue, 25 Oct 2005 15:37:23 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hinsuk, Consider the Bleeding-edge rules to augment your rules from snort.org. In some cases they fill some gaps that may exist in the Snort.org signature base (e.g. Virus and Spyware).. The bleeding-edge spyware signatures are tremendously accurate, we have several federal customers that rely on them heavily for tracking down spyware infected machines. As the name states, consider them to be on the bleeding-edge of things. Test your rules before applying them enterprise wide. In summary, no Snort deployment is complete without rulesets from bleeding-edge :) Best Regards, Eric Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - --------------------------------------------------- Eric Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - --------------------------------------------------- Headquarters: 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Virginia Office: 4524 Waverly Crossing Lane (DoD/Intelligence) Chantilly, Va. 20151 TS/SCI Cleared Personnel - --------------------------------------------------- Web Site: http://www.appliedwatch.com Tel: (877) 262-7593 Direct: (877) 262-7593 ext:327 Cell: (847) 456-6785 - --------------------------------------------------- - - Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
HinSuk, I run both sets of rules. I do not find too much overlap ? usually when one is turned into an ?official? rule ? then they pull it out of the bleeding set pretty quickly. Krisa ------------------------------------------------------------------------ *From:* snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] *On Behalf Of *hchlai () netscape net *Sent:* Tuesday, October 25, 2005 3:06 PM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] Bleeding Snort rules and Sourcefire Official rules Hi Snorters, How is Bleeding Snort rules compare to Sourcefire Official rules in terms of accuracy in detecting intrusion attempts? Which set of rules are more practical to implement in a corporate environment? I'm thinking of implementing both sets of rules but I am afraid to run into many overlap alerts, has anybody try this before? What's the result is like? Many thanks! HinSuk ------------------------------------------------------------------------ *Look What The New Netscape.com Can Do!* Now you can preview dozens of stories and have the ones you select delivered to you without ever leaving the Top Home Page. And the new Tool Box gives you one click access to local Movie times, Maps, White Pages and more. Click to test drive <%20http://netcenter.netscape.com/netcenter/>.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDXpeDobrbO5ZoXNARAstMAKCH8d4IneGNiDbC2U9Fvw0zRf0E6ACeLjw6 MFWs7Qh/qli6SGO4p05LZSs= =iBW0 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bleeding Snort rules and Sourcefire Official rules hchlai (Oct 25)
- <Possible follow-ups>
- RE: Bleeding Snort rules and Sourcefire Official rules Rowland, Krisa W ERDC-ITL-MS Contractor (Oct 25)
- Re: Bleeding Snort rules and Sourcefire Official rules Eric Hines (Oct 25)