Which Snort ruleset should I use?

255 views
Skip to first unread message

Francois Lachance

unread,
Sep 11, 2018, 5:04:29 PM9/11/18
to security-onion
So I'm looking at my options for paid ruleset (https://github.com/Security-Onion-Solutions/security-onion/wiki/Rules) and I see that there appear to be only two vendors:

- EmergingThreats (Proofpoint)
- Snort (Talos which is really Cisco)

What is the difference between the two subscriptions? The paid Snort service has a clear price ($399 per sensor/year). Proofpoint wants you to contact them, which means it's probably expensive.

But which one is better? I have searched for some review or comparison but wasn't able to find anything. Would anyone be able to point me to such a review or give me some insight?

Thanks,

Francois

Wes Lambert

unread,
Sep 12, 2018, 7:44:52 AM9/12/18
to securit...@googlegroups.com
Hi Francois,

We have some brief information here about each:


Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.


--

Francois Lachance

unread,
Sep 12, 2018, 10:56:15 AM9/12/18
to security-onion
Wes,

Brief is the keyword here. As I indicated in my original post, I already read that page. It says little to nothing as to the functional differences between the EmergingThreats and ProofPoint feeds. That is why I was asking about people's experience with their Snort threat intelligence feeds.

Thanks,

Francois

Philip Robson

unread,
Sep 12, 2018, 2:38:49 PM9/12/18
to securit...@googlegroups.com
We use the Talos/snort rule set as part of our firepower/IPS.  When new threats have been released Talos on there site offer good research and insights into the threats and which of there platforms protect/detect the threats. For the big well known threats that came out last year they had snort rules out very quickly. 

Maybe have a look at the Talos sight and it could give you an idea about the team developing snort and the rules.  That and sign up to the beers with Talos podcasts

Joel Esler

unread,
Sep 12, 2018, 7:27:08 PM9/12/18
to securit...@googlegroups.com
Hi. I work for Cisco Talos. What can I help you with. Precluded that my opinion will be biased, but i will speak in fact.

Sent from my iPhone

Francois Lachance

unread,
Sep 13, 2018, 11:40:15 AM9/13/18
to security-onion
Joel,

I'm trying to understand what my options are when it comes to Snort rules. I assume that the Snort subscription would provide the same rules that are used in devices such as SourceFire IPS? Are there any differences?

Thanks,

On Wednesday, 12 September 2018 17:27:08 UTC-6, Joel Esler wrote:
> Hi. I work for Cisco Talos. What can I help you with. Precluded that my opinion will be biased, but i will speak in fact.
>
> Sent from my iPhone
>

Joel Esler

unread,
Sep 13, 2018, 1:06:05 PM9/13/18
to securit...@googlegroups.com
Zero.

Sent from my iPhone
Reply all
Reply to author
Forward
0 new messages