Snort mailing list archives
Re: Snort Rules changelog
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 14 Sep 2011 09:27:29 -0400
See inline. On Wed, Sep 14, 2011 at 9:07 AM, uri shalev <dabitter () gmail com> wrote:
Hi all, I'm trying to understand the rules changelog: i.e., this page - http://www.snort.org/vrt/docs/ruleset_changelogs/2_9_1_0/changes-2011-09-13.html 1. Does every line actually stands for a new, unique IPS solution addressing the vulnerability described (under the 'New Rules')? Each line is a new Snort rule. A given rule may cover a given vulnerability
directly, on a 1-to-1 basis. However, sometimes it takes more than one rule to cover a given vulnerability or piece of malware, in which case each rule covers some piece of the vulnerability/malware.
1. In the 'Modified Rules' section, are these existing rules that have been improved?
Exactly.
1. Some of the rules address the same issues, with a slight difference, for instance: * 1:20097 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.dcir infected host at destination ip (botnet-cnc.rules) * 1:20096 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.dcir outbound connection (botnet-cnc.rules) Again, do they stand for an individual solution or are they two parts of the same protection?
Two parts of the same thing. Often, when we're looking at C&C channels, we pick up different parts of the connection, to give IDS boxes a better chance to see the infected system sooner.
Maybe I'm missing the entire concept of the rules system, I'd appreciate it if you could help me understand it a little better. Thanks, BB ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Rules changelog uri shalev (Sep 14)
- Re: Snort Rules changelog Alex Kirk (Sep 14)
- Re: Snort Rules changelog C Granger (Sep 14)
- Re: Snort Rules changelog Joel Esler (Sep 14)
- Re: Snort Rules changelog Chris Granger (Sep 14)
- Re: Snort Rules changelog Joel Esler (Sep 14)