Showing posts with label policy. Show all posts
Showing posts with label policy. Show all posts

Thursday, May 2, 2019

Snort rule update for May 2, 2019

Just released:
Snort Subscriber Rule Set Update for May 2, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 34 new rules, four of which are shared object rules. There are also seven modified rules, one of which is a shared object rules.

This release is the first of a number of additions to the max-detect policy to make it a heavily detection-focused policy. As such, performance will be impacted if this policy is enabled. It's highly recommended that users test this policy's performance before deploying it in production environments. Therefore, there are a large number of modified rules today that could make downloading this set take longer than usual.

There were no changes made to the snort.conf in this release.
Read more »
Posted by Jonathan Munshaw
Labels: , , , , , , , , , ,

Tuesday, May 5, 2015

Snort Subscriber Rule Set Update for 05/05/2015, Max-Detection Policy

Just released:
Snort Subscriber Rule Set Update for 05/05/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
34318

Yaser Mansour
34307
34308
34309
34310
34311
34312
34313
34314
34315
34316
34317
34335

Talos's rule release:
A new base policy, Maximum Detection, has been added in this release. The
Maximum Detection policy will grow to encompass a selection of vulnerabilities
from 2005 or later with a CVSS score of at least 7.5, along with critical
malware and exploit kit rules.

The "Maximum Detection" policy favors detection over rated throughput. In some
situations this policy can and will cause significant throughput reductions.
Cisco's Talos continues to recommend the "Balanced Connectivity and Security"
policy for most networks, and the "Security Over Connectivity" policy for
customers with more rigorous security requirements.

Talos has also added and modified multiple rules in the browser-ie,
exploit-kit, file-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!
Posted by Joel Esler
Labels: , , , , , ,

Friday, October 11, 2013

Snort VRT Default Ruleset Rebalancing

In an upcoming Rule Update, the VRT will be shipping updated base policies for use in your Snort installation.

To help customers understand these changes, we are taking this opportunity to explain the process used by the VRT for deciding how rules are assigned to each policy.

The main metric used is the CVSS score assigned to each vulnerability that might be covered by a rule. For more information on CVSS please visit http://www.first.org/cvss. The second criteria is temporal based and concerns the age of a particular vulnerability. The final criteria is the particular area of coverage for the rule. So for example, SQL Injection rules are considered to be important enough to have influence when being considered for policy inclusion. Note that, the vulnerabilities covered by the rules in these categories are considered important regardless of age.

The considerations for each policy are described below.

Connectivity over Security Base Policy:

1. CVSS Score must be 10
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Not used for this policy

Balanced Base Policy:

(As a reminder, the "Balanced" policy is the default shipping state of the VRT Ruleset for Open Source Snort)

1. CVSS Score 9 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit
Security over Connectivity Base Policy:

1. CVSS Score 8 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)
  • Year prior (2010 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit
  • App-detect


All new rules are placed into the policies based on these criteria. Every year during the third quarter of the year, the policies will be re-assessed and rules from previous years, as the vulnerabilities age, will be removed from the policy to keep the policy compliant with our temporal selection criteria. Thus, in the third quarter of 2014, the rules from 2011 will be removed from the “Connectivity over Security” and “Balanced” policies while the rules from 2010 will be removed from the “Security over Connectivity” policy. If rules move between categories, their presence in policies will also be decided based on the category selection process. Likewise, should the CVSS score change for a particular vulnerability that is covered by a rule, it’s presence in a policy based on the CVSS metric is also re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis. There will be some rules that are older and not in the criteria above that will be in the default policies. The above is the selection criteria for default rules, and is always subject to change based upon the threat landscape.

If there are any questions, feel free to email me @ joel [at] sourcefire [dot] com, or use the Snort-Sigs mailing list:

https://www.snort.org/community
Posted by Joel Esler
Labels: , , ,
Subscribe to: Comments (Atom)