Emerging Threats

  • Increase font size
  • Default font size
  • Decrease font size

RULE FILE CHANGE COMING!!

Friday, 25 September 2009 14:10 Matt Jonkman
E-mail Print PDF

WE'RE MAKING A CHANGE TO THE ORGANIZATION OF THE RULESET!! YOU WILL HAVE TO UPDATE YOUR CONFIG!!!

 

Trying to get everyone's attention. Are you here now? Thanks for taking a minute to read this. You'll be glad you did.

 

We are just about to cross signature ID 2010000, that's ten thousand signatures come and gone (we have about 7,500 active at the moment). There are a few categories that have bloated and some more granular organization will be of a benefit to all of us. So we're going to take this opportunity to do the following. These changes will come into effect at 00:01EST (GMT - 5) October 2, 2009. That's just under one week from now. So please be prepared, you'll have to update your snort configuration to keep using the same rules, they'll be in different files.

 

1. Rules in CURRENT_EVENTS currently drop into emerging.rules. We will no longer do this, and add the file emerging-current_events.rules

2. The WEB category will be subdivided and the WEB_SPECIFIC will be renamed. This is for easier disabling or enabling of client and server based rules. The new files will be:

emerging-web_client.rules

These will be the activex and other browser  and client exploits.

emerging-web_server.rules

Attacks on web servers. 

emerging-web_specific_apps.rules

These will be most of the rules formerly known as web_sql_injection.

 

emerging-web.rules

The remaining rules that do not fit cleanly into the above categories will go here. 

 

3. The rules currently in malware for user agents will be moved into their own rules category. Primarily because of the number of signatures we have here. They will now be in the category:

emerging-user_agents.rules

 

We are not at this time going to subdivide the virus and trojan rules. They ought to be, but this is a bigger issue than we can tackle at the moment. 

Again, these changes will go into effect  at 00:01EST (GMT - 5) October 2, 2009!

 

Thanks for using and contributing to the ET ruleset. Comments about the change are welcome!

Matt

 

 

UPDATE:

I noted the change as GMT+5, it's actually GMT-5. US Eastern Time. Sorry for the confusion.

< Prev   Next >
Last Updated ( Tuesday, 29 September 2009 07:57 )  

Contribute to ET! Try SIDReporter

SIDReporter is ready for Prime Time! Try it out and contribute anonymous statistics about the rulesets, get in depth analysis of your events vs global trends, and help make the ET Rulesets better!

Statistics now online!

http://www.emergingthreats.net/index.php/sidreporter-statistics.html

Code here!

http://doc.emergingthreats.net/bin/view/Main/SidReporter