Re: Bleeding Snort rules and Sourcefire Official rules

[Eric Hines <eric.hines () appliedwatch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hinsuk,

Consider the Bleeding-edge rules to augment your rules from snort.org.
In some cases they fill some gaps that may exist in the Snort.org
signature base (e.g. Virus and Spyware).. The bleeding-edge spyware
signatures are tremendously accurate, we have several federal customers
that rely on them heavily for tracking down spyware infected machines.

As the name states, consider them to be on the bleeding-edge of things.
Test your rules before applying them enterprise wide.

In summary, no Snort deployment is complete without rulesets from
bleeding-edge :)


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- ---------------------------------------------------
Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- ---------------------------------------------------
Headquarters:           1095 Pingree Road
                        Suite 213
                        Crystal Lake, IL 60014

Virginia Office:        4524 Waverly Crossing Lane
(DoD/Intelligence)      Chantilly, Va. 20151    
                        TS/SCI Cleared Personnel
- ---------------------------------------------------
Web Site:               http://www.appliedwatch.com
Tel:                    (877) 262-7593
Direct:                 (877) 262-7593 ext:327
Cell:                   (847) 456-6785
- ---------------------------------------------------
- -


Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
> HinSuk,
>
>  
>
> I run both sets of rules.  I do not find too much overlap ? usually when
> one is turned into an ?official? rule ? then they pull it out of the
> bleeding set pretty quickly. 
>
>  
>
> Krisa
>
>  
>
> ------------------------------------------------------------------------
>
> *From:* snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] *On Behalf Of
> *hchlai () netscape net
> *Sent:* Tuesday, October 25, 2005 3:06 PM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Bleeding Snort rules and Sourcefire Official rules
>
>  
>
> Hi Snorters,
>
>  
>
> How is Bleeding Snort rules compare to Sourcefire Official rules in
> terms of accuracy in detecting intrusion attempts? Which set of rules
> are more practical to implement in a corporate environment? I'm thinking
> of implementing both sets of rules but I am afraid to run into many
> overlap alerts, has anybody try this before? What's the result is like?
>
>  
>
> Many thanks!
>
>  
>
> HinSuk
>
>  
>
> ------------------------------------------------------------------------
>
> *Look What The New Netscape.com Can Do!*
> Now you can preview dozens of stories and have the ones you select
> delivered to you without ever leaving the Top Home Page. And the new
> Tool Box gives you one click access to local Movie times, Maps, White
> Pages and more. Click to test drive
> <%20http://netcenter.netscape.com/netcenter/>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDXpeDobrbO5ZoXNARAstMAKCH8d4IneGNiDbC2U9Fvw0zRf0E6ACeLjw6
MFWs7Qh/qli6SGO4p05LZSs=
=iBW0
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users