Snort mailing list archives
Re: CVE-2012-5076 and CVE-2012-1723 Rules
From: "lists () packetmail net" <lists () packetmail net>
Date: Mon, 26 Nov 2012 09:00:35 -0600
On 11/25/2012 07:34 PM, Joel Esler wrote:> I'll take a look and see what we can do to improve any coverage we are missing,
blackhole, especially v2, is a pain.
Joel, on the ET side and based on my network analysis, I am seeing very good methods for combating some of this. I would like for us to work more on this, any more news regarding a community focused ruleset without delay between registered users and subscribers? On 11/25/2012 04:26 AM, Snort Troubleshooting wrote:
I went ahead and downloaded ET (open-source) rules and stuck them in there. Then I browsed to the blackhole website again, and Snort fired on two ET Rules, namely, sid:2015724, and sid:2015725.
You've just stumbled across some idiosyncratic differences between the VRT and ET rulesets. This has been discussed in the past but myself being a participant in the ET ruleset I can say that as compared to VRT, ET/we are more focused on the exploit kit and permutations of the exploit kits as a community and have great coverage based on community input. No flame war intended -- I think very highly of the VRT crew, but in a sea of security issues there are differences between both rulesets and I always have viewed them as complementary. When ET PRO came out the gap between what ET lacked was greatly reduced. VRT has had some good exploit kit signatures as well and when Joel and I were exchanging E-Mails and gearing up a community around "VRT COMMUNITY" there was some great Blackhole V1 detection. Wish everyone the best, and at no point am I trying to create a "me versus them" theme. We're all the good guys here, no point to piss on each others legs. These are just my opinions after having been engaged in both communities for some time. Cheers, Nathan ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- CVE-2012-5076 and CVE-2012-1723 Rules Snort Troubleshooting (Nov 25)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 25)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Will Metcalf (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 25)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Y M (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Miso Patel (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Y M (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)