Tuesday, October 15, 2013

Sourcefire VRT Certified Snort Rules Update for 10/15/2013, Rule Rebalancing

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/15/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 6468 additional rules.  You should notice additional alerts in your console that you may have never seen before.  If you believe these to be false positives, please file a false positive report here: Submit a False Positive or via the Snort-sigs mailing list.  You may always find this link in the footer of Snort.org.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
This rule release contains updated base policies for use in your Snort
devices.

To help customers understand these changes, we are taking this
opportunity to explain the process used by the VRT for deciding how
rules are assigned to each policy.

The main metric used is the CVSS score assigned to each vulnerability
that might be covered by a rule. For more information on CVSS please
visit http://www.first.org/cvss. The second criteria is temporal-based
and concerns the age of a particular vulnerability. The final criteria
is the particular area of coverage for the rule. So for example, SQL
Injection rules are considered to be important enough to have influence
when being considered for policy inclusion. Note that, the
vulnerabilities covered by the rules in these categories are considered
important regardless of age.

The considerations for each policy are described below.

Connectivity over Security Base Policy:

1. CVSS Score must be 10
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Not used for this policy


Balanced Base Policy:

1. CVSS Score 9 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit


Security over Connectivity Base Policy:

1. CVSS Score 8 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)
  • Year prior (2010 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit
  • App-detect


All new rules are placed into the policies based on these criteria.
Every year during the third quarter of the year, the policies will be
re-assessed and rules from previous years, as the vulnerabilities age,
will be removed from the policy to keep the policy compliant with our
temporal selection criteria. Thus, in the third quarter of 2014, the
rules from 2011 will be removed from the “Connectivity over
Security” and “Balanced” policies while the rules from 2010 will
be removed from the “Security over Connectivity” policy. If rules
move between categories, their presence in policies will also be
decided based on the category selection process. Likewise, should the
CVSS score change for a particular vulnerability that is covered by a
rule, its presence in a policy based on the CVSS metric is also
re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!