Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Malware Sigs Plus Vuln Sigs or Vuln Sigs Only

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 3 Feb 2011 10:51:10 -0500
On Thu, Feb 3, 2011 at 10:09 AM, Nolan, Tim <NolanTim () bfusa com> wrote:


I typically do not post much online. It is amusing to watch the ranting and
frothing and poking that go on in some of these forums, and picking out the
good bits of useful info (eating the watermelon and spitting out the seeds).



In my opinion Matt Jonkman is right in his general premise, and many of
those who resist adding malware sigs/rules and the like perhaps don’t even
really know what they are missing.



In my opinion, the way forward is more signatures, more reputation feeds,
and more threat intelligence aimed at both the detective and protective side
of the equation. As long as it is timely and accurate, we will be enabled to
do our jobs better, more proactively, and with a shorter interval between
infection and effective response, and less systems will be infected as a
result.



Thanks Joel and Matt for your entertaining exchange of helpful information,
etc.. You guys rock and are both moving the ball down the field in the right
direction and doing awesome things to help the security community. Keep up
the good work.




Thanks Tim,

I'd like to see more people using the blacklist.rules, phishing-spam.rules,
and botnet-cnc.rules that the VRT ruleset provides.

Those rules are generated using real malware in our ClamAV sandbox, and now
with our Immunet intelligence being integrated in our feeds, our detection
will get more and more intelligent all the time.

However, I would like to see people using those three files above and let us
know your results.

Joel


-- 
Joel Esler | 706-231-1451 | http://blog.snort.org | http://blog.clamav.net

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: