Snort mailing list archives

Re: Some notes about today's VRT Rule release for 02/09/2012

From: Miso Patel <miso.patel () gmail com>
Date: Thu, 9 Feb 2012 15:23:28 -0600

It it possible to have the "VRT" rule updates actually contain a synopsis
of what was updated so people don't have to wade thru multiple web pages
just to see them?

Thanks!1

Miso, CISO

On Thu, Feb 9, 2012 at 2:58 PM, Joel Esler <jesler () sourcefire com> wrote:

*VRT Rule release for 02/09/2012*

Join us as we welcome the introduction of the newest rule release for
today<http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-02-09.html>from the VRT. In this release we
introduced 10 new rules and made
modifications to *4172* additional rules.

There were no changes made to the snort.conf in this release.

Today, we leveled the playing field between the various ways to get Snort
rules. It has long been the case where Sourcefire products, by default,
enabled rules in the balanced-ips policy.

When you use PulledPork (http://code.google.com/p/pulledpork/), this is
also the default behavior. But when you simply downloaded the rules from
Snort.org, the rules were a hodge podge of rules that were enabled or
disabled, denoted by whether or not the rule was commented out in the rules
file.

In an effort to make the barrier to entry that much easier, the Open
Source rule package downloaded on snort.org now exactly mirrors what you
would get if you used PulledPork. All rules in balanced-ips are enabled and
all rules not in balanced-ips are disabled. The exception to this is that
rules that set flowbits that are used by rules that are in balanced-ips are
also enabled. This means that the default Open Source ruleset will now
provide a good balance between speed, performance, and detection and all
rules should work as expected. Those using Oinkmaster, or simply
downloading the ruleset directly, will now be running the "balanced-ips"
policy. A rule's "on/off" state is now dictated by policy.

This change is in no way an indication that PulledPork is not the
recommended way to manage your Open Source ruleset. PulledPork also tracks
your own custom policy tailored to your environment and provides other
benefits. If you want to use the security-ips policy, you may go through
and enable these rules by default, or choose the easy way and use
PulledPork to manage this for you. So, use PulledPork if you aren't already!

In VRT's rule release:

Synopsis: This release adds and modifies rules in several categories.

Details: The Sourcefire VRT has added and modified multiple rules in the
attack-responses, backdoor, bad-traffic, blacklist, botnet-cnc, chat, dns,
dos, exploit, file-identify, finger, icmp, icmp-info, imap, misc,
multimedia, netbios, nntp, oracle, p2p, password, policy, pop3, rpc,
rservices, scada, scan, shellcode, smtp, specific-threats, spyware-put,
sql, username, voip, web-activex, web-cgi, web-client, web-iis, web-misc
and x11 rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now <http://www.snort.org/vrt/buy-a-subscription/>to the VRT's newest rule detection
functionality, you can subscribe for as
low as $29 US dollars a year for personal users, be sure and see our
business pricing as well at http://www.snort.org/store. Make sure and
stay up to date to catch the most emerging threats!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 Miso Patel (Feb 09)
  - Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 Miso Patel (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
- Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
  - Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 waldo kitty (Feb 09)
    - Re: Some notes about today's VRT Rule release for 02/09/2012 Joel Esler (Feb 09)