Snort.org Blog: Sourcefire VRT Certified Snort Rules Update for 10/15/2013, Rule Rebalancing

[Joel Esler <jesler () sourcefire com>]

http://blog.snort.org/2013/10/sourcefire-vrt-certified-snort-rules_15.html

Sourcefire VRT Certified Snort Rules Update for 10/15/2013, Rule Rebalancing

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new 
rules and made modifications to 6468 additional rules.  You should notice additional alerts in your console that you 
may have never seen before.  If you believe these to be false positives, please file a false positive report here: 
Submit a False Positive, or via the Snort-sigs mailing list.  You may always find this link in the footer of Snort.org.

In VRT's rule release: 
This rule release contains updated base policies for use in your Snort
devices. 

To help customers understand these changes, we are taking this
opportunity to explain the process used by the VRT for deciding how
rules are assigned to each policy.

The main metric used is the CVSS score assigned to each vulnerability
that might be covered by a rule. For more information on CVSS please
visit http://www.first.org/cvss. The second criteria is temporal-based
and concerns the age of a particular vulnerability. The final criteria
is the particular area of coverage for the rule. So for example, SQL
Injection rules are considered to be important enough to have influence
when being considered for policy inclusion. Note that, the
vulnerabilities covered by the rules in these categories are considered
important regardless of age.

The considerations for each policy are described below.

Connectivity over Security Base Policy:

1. CVSS Score must be 10
2. Age of the vulnerability:

        • Current year (2013 for example)
        • Last year (2012 in this example)
        • Year before last (2011 in this example)

3. Rule Category

        • Not used for this policy


Balanced Base Policy:

1. CVSS Score 9 or greater
2. Age of the vulnerability:

        • Current year (2013 for example)
        • Last year (2012 in this example)
        • Year before last (2011 in this example)

3. Rule Category

        • Malware-Cnc
        • Blacklist
        • SQL Injection
        • Exploit-kit


Security over Connectivity Base Policy:

1. CVSS Score 8 or greater
2. Age of the vulnerability:

        • Current year (2013 for example)
        • Last year (2012 in this example)
        • Year before last (2011 in this example)
        • Year prior (2010 in this example)

3. Rule Category

        • Malware-Cnc
        • Blacklist
        • SQL Injection
        • Exploit-kit
        • App-detect


All new rules are placed into the policies based on these criteria.
Every year during the third quarter of the year, the policies will be
re-assessed and rules from previous years, as the vulnerabilities age,
will be removed from the policy to keep the policy compliant with our
temporal selection criteria. Thus, in the third quarter of 2014, the
rules from 2011 will be removed from the “Connectivity over
Security” and “Balanced” policies while the rules from 2010 will
be removed from the “Security over Connectivity” policy. If rules
move between categories, their presence in policies will also be
decided based on the category selection process. Likewise, should the
CVSS score change for a particular vulnerability that is covered by a
rule, its presence in a policy based on the CVSS metric is also
re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis.

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!