I'm interested in feedback on:
1) Why is the SO default the ET free set vs the GPL set from VRT? What is the difference?
2) Pro subscribers: why VRT/ why ET?
3) What are caveats and/or recommendations regarding combining rule sets?
Hi
On Nov 23, 2013 1:11 AM, "Jeremy Hoel" <jth...@gmail.com> wrote:
>
> We have at one time or another used all the rule sets above. Right
> now we are paying for VRT registered rules. We do that because we have
> SourceFire devices in addition to Snort so getting all the rules from
> one place is great.
>
> 1) The Community/GPL rules are a small package, where the ET free/paid
> set offer much more (in comparison to just the Community rule-set),
> plus the community ruleset is a relatively new set.. and it might not
> have been out when the SO project was setup.
>
The community ruleset is to be included in SecurityOnion when pulledpork is upgraded to version 0.7, https://code.google.com/p/security-onion/issues/detail?id=390.
The option to choose community ruleset was added/integrated in the 0.7 release.
> 2) Between VRT paid and ET paid, the VRT seemed to get more stable
> rules, less FP; ET was newer threats, but at the cost of more FP.
>
> 3) Right now for our snort sensors we use VRT Paid, community and ET
> free.. and it works fine, though when snort starts it complains about
> duplicate rules from community and VRT Paid, but the Community ones
> are newer and will be used.
>
> Hope that helps..
>
/Lysemose
One caveat that I found when using combined freebie rule sets are the links to investigate what a rule means were less helpful in the ET rules. As a newbie to this arena when i clicked alink to the snort rule like "snort.org/search/sid/1-159" the limited documentation that comes from snorts rules homepage was helpful. But if the alert has come from ET and the link goes to snort.org/search/sid/100003456 then you see a not found page. The ET rules often have some links in them which offer description of the problem that prompted the rule like maybe a wikipedia page or some news article, but the link to the rule in the SO interfaces normally leads to the rule history page at ET. The rule history is not so inforrmative. Now I just use the ET set alone until I get to know all these tools better.
Could it be somewhere on the net that we can find or create a guide that documents what threw an alert on users lan? Such a forum might give have a clue what to investigate first. At this stage I spend as much time understanding what could be the meaning of the rule message as I do learning to even keep this onion running.