Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Rule Set Completness

from [Jason Brvenik] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Rule Set Completness
Date: Mon, 08 May 2006 17:16:45 -0400 


Erik Fichtner wrote:

Gentoo-Wally wrote:



1. Is the VRT set suppose to be a "complete" (for the lack of a better
word. Maybe adequate would be better?) rule set capable of independent
deployment. "Complete" meaning including rules for most known
vulnerabilities/attacks or...



No.  Of the fuzzy "sorta" variety of no.   It's complete in the sense that
if it doesn't detect something and you're a paying customer of sourcefire,
you can complain and alter that situation.


The rules set is complete in that it detects the things an intrusion
system is typically concerned about. It is not in the sense that it
detects everything you may be concerned about.

The nature of Snort is such that people tend to abuse its capabilities
for things that are not really related to intrusions. A perfect example
is AV or policy violations...

If you want high quality, tested rules backed by dedicated researchers,
QA labs, and a full production test suite (Over 16 million units) for
each release then the VRT set is the only way to go.





2. Would a "complete" or "more complete" set include the combination
of VRT+Community+BleedingEdge Snort. If so...



Yes.


Not at all. It would be a hodge podge of things that will confuse the
general analyst and lead to a false sense of security. ( there is far
more to that opinion than can be relayed here) The rules in the various
sets out there should be combed for issues that you are concerned about
and can personally validate.





3. Would the combination of VRT+Community+BleedingEdge result in a lot
of duplicate signatures?



Of course it would.  Yes.

see also: OSSRC Rules Overlap Committee.






-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] Rule Set Completness, Erik Fichtner
Next by Date:  [Snort-sigs] Snort v2.6.0 RC2 Available, Jennifer Steffens
Previous by Thread:  Re: [Snort-sigs] Rule Set Completness, Erik Fichtner
Next by Thread:  Re: [Snort-sigs] Rule Set Completness, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]