Snort mailing list archives
Snort.org Blog: Sourcefire VRT Certified Snort Rules Update for 10/15/2013, Rule Rebalancing
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 15 Oct 2013 14:26:04 -0400
http://blog.snort.org/2013/10/sourcefire-vrt-certified-snort-rules_15.html Sourcefire VRT Certified Snort Rules Update for 10/15/2013, Rule Rebalancing We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 6468 additional rules. You should notice additional alerts in your console that you may have never seen before. If you believe these to be false positives, please file a false positive report here: Submit a False Positive, or via the Snort-sigs mailing list. You may always find this link in the footer of Snort.org. In VRT's rule release: This rule release contains updated base policies for use in your Snort devices. To help customers understand these changes, we are taking this opportunity to explain the process used by the VRT for deciding how rules are assigned to each policy. The main metric used is the CVSS score assigned to each vulnerability that might be covered by a rule. For more information on CVSS please visit http://www.first.org/cvss. The second criteria is temporal-based and concerns the age of a particular vulnerability. The final criteria is the particular area of coverage for the rule. So for example, SQL Injection rules are considered to be important enough to have influence when being considered for policy inclusion. Note that, the vulnerabilities covered by the rules in these categories are considered important regardless of age. The considerations for each policy are described below. Connectivity over Security Base Policy: 1. CVSS Score must be 10 2. Age of the vulnerability: • Current year (2013 for example) • Last year (2012 in this example) • Year before last (2011 in this example) 3. Rule Category • Not used for this policy Balanced Base Policy: 1. CVSS Score 9 or greater 2. Age of the vulnerability: • Current year (2013 for example) • Last year (2012 in this example) • Year before last (2011 in this example) 3. Rule Category • Malware-Cnc • Blacklist • SQL Injection • Exploit-kit Security over Connectivity Base Policy: 1. CVSS Score 8 or greater 2. Age of the vulnerability: • Current year (2013 for example) • Last year (2012 in this example) • Year before last (2011 in this example) • Year prior (2010 in this example) 3. Rule Category • Malware-Cnc • Blacklist • SQL Injection • Exploit-kit • App-detect All new rules are placed into the policies based on these criteria. Every year during the third quarter of the year, the policies will be re-assessed and rules from previous years, as the vulnerabilities age, will be removed from the policy to keep the policy compliant with our temporal selection criteria. Thus, in the third quarter of 2014, the rules from 2011 will be removed from the “Connectivity over Security” and “Balanced” policies while the rules from 2010 will be removed from the “Security over Connectivity” policy. If rules move between categories, their presence in policies will also be decided based on the category selection process. Likewise, should the CVSS score change for a particular vulnerability that is covered by a rule, its presence in a policy based on the CVSS metric is also re-assessed. Rules in the listed policies are evaluated on a rule by rule basis. -- Joel Esler AEGIS Intelligence Lead OpenSource Community Manager Vulnerability Research Team, Sourcefire
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort.org Blog: Sourcefire VRT Certified Snort Rules Update for 10/15/2013, Rule Rebalancing Joel Esler (Oct 15)