Thursday, February 9, 2012

VRT Rule release for 02/09/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 10 new rules and made modifications to 4172 additional rules.

There were no changes made to the snort.conf in this release.

Today, we leveled the playing field between the various ways to get Snort rules. It has long been the case where Sourcefire products, by default, enabled rules in the balanced-ips policy.  
When you use PulledPork (, this is also the default behavior. But when you simply downloaded the rules from, the rules were a hodge podge of rules that were enabled or disabled, denoted by whether or not the rule was commented out in the rules file.
In an effort to make the barrier to entry that much easier, the Open Source rule package downloaded on now exactly mirrors what you would get if you used PulledPork. All rules in balanced-ips are enabled and all rules not in balanced-ips are disabled. The exception to this is that rules that set flowbits that are used by rules that are in balanced-ips are also enabled. This means that the default Open Source ruleset will now provide a good balance between speed, performance, and detection and all rules should work as expected.  Those using Oinkmaster, or simply downloading the ruleset directly, will now be running the "balanced-ips" policy.  A rule's "on/off" state is now dictated by policy.
This change is in no way an indication that PulledPork is not the recommended way to manage your Open Source ruleset. PulledPork also tracks your own custom policy tailored to your environment and provides other benefits. If you want to use the security-ips policy, you may go through and enable these rules by default, or choose the easy way and use PulledPork to manage this for you. So, use PulledPork if you aren't already!

 In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories.
Details: The Sourcefire VRT has added and modified multiple rules in the attack-responses, backdoor, bad-traffic, blacklist, botnet-cnc, chat, dns, dos, exploit, file-identify, finger, icmp, icmp-info, imap, misc, multimedia, netbios, nntp, oracle, p2p, password, policy, pop3, rpc, rservices, scada, scan, shellcode, smtp, specific-threats, spyware-put, sql, username, voip, web-activex, web-cgi, web-client, web-iis, web-misc and x11 rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at Make sure and stay up to date to catch the most emerging threats!