Snort mailing list archives
Re: Rule categories
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 4 Jan 2012 14:50:41 -0500
On Jan 4, 2012, at 5:10 AM, Peter Bates wrote:
Hello all, and a Happy New Year. I'm trying to rationalise and tidy up some of my use of multiple (VRT, ET) rulesets. In the process I'm trying to get a handle on different rule categories.
We are going to be reorganizing the rule categories in the near future, so they will make more sense.
Taking 3 arbitrary recently modified examples: 13470 - EXPLOIT Microsoft Office Publisher memory corruption attempt (exploit.rules)
A vulnerability based rule written covering the vulnerability.
13865 - WEB-CLIENT Adobe BMP image handler buffer overflow attempt (web-client.rules)
A vulnerability based rule written covering the vulnerability that affects a client side application that typically would be attacked by downloading a file from the web.
15993 - SPECIFIC-THREATS Adobe Flash Player ActionScript intrf_count integer overflow attempt (specific-threats.rules)
A specific exploit targeting this vulnerability has been observed in the wild, and this rule will target that particular attempt.
- - all of the above SIDs are for external web-based traffic (i.e. $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET) and are all classification 'attempted-user' but what makes for one rule being in one file and one in another? Thanks - just wondering with my post-Xmas befuddled brain.
No problem. As I said, all the rule categories will be reorganized soon, and we'll be posting details on that in the future. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule categories Peter Bates (Jan 04)
- Re: Rule categories Joel Esler (Jan 04)