Snort mailing list archives
Re: recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc)
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 26 Apr 2010 07:47:54 -0400
It is my suggestion that you used pulledpork. It gives you the ability to use the default policy setups in the metadata.
-- Joel Esler Sent from my iPhone On Apr 26, 2010, at 2:17 AM, monitz <mmonitz () gmail com> wrote:
i feel that these kind of changes should be listed as "disabled" and not as "modified" in update publishingthanks for the response alex doe's anyone know how to address the issue on oinkmaster?On Mon, Apr 26, 2010 at 5:47 AM, Alex Kirk <akirk () sourcefire com> wrote: The VRT has been conducting reviews of the default policies of late - both those included in the metadata fields and the implied policies of commented out vs. not commented out. There are a number of rules that, in their time, were very useful, but are no longer, due to their age - many of these rules, for example, were for vulnerabilities 5 or more years old. Given that running a tighter, more focused ruleset is likely to produce more useful alerts, and given that a number of users simply accept the VRT defaults without much further thought, we decided it was best to turn off some of our older rules, where the probability of a successful attack has become exceedingly low.Anyone who wants these rules, of course, is free to turn them right back on. That's the beauty of running your own IDS - you need not accept the VRT's judgments as your own if you don't want to.On Sun, Apr 25, 2010 at 3:53 AM, monitz <mmonitz () gmail com> wrote: helloi have noticed that the recent VRT update (08 april i think) comments out many sigsi can not find an announcment or explenation for this. does anyone have any idea why this happens?--- --- --- ---------------------------------------------------------------------_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com--- --- --- ---------------------------------------------------------------------_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc) monitz (Apr 25)
- Re: recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc) Alex Kirk (Apr 25)
- Re: recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc) monitz (Apr 25)
- Re: recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc) Joel Esler (Apr 26)
- Re: recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc) monitz (Apr 25)
- Re: recent vrt updates disable many rules (web-iis, web-cgi, web-misc etc) Alex Kirk (Apr 25)