|
List Info
Thread: Obsolete sigs
|
|
| Obsolete sigs |
 
United States |
2007-06-19 18:04:01 |
A question on snort-sigs reminded me of something that's
been in the back of
my mind for a while.
What if we were to start a list of older signatures that are
completely
obsoleted. Then distribute that list of sids to allow local
users to drop
those.
I'm talking about completely unquestionably absolutely
useless sigs. They
may be good sigs, but the threat is so minimal that a person
with a well
loaded sensor could drop those sigs.
Examples off of the top of my head would be Code Red sigs.
Not only is code
red pretty much gone, but the default install of IIS that's
vulnerable is
obsoleted as well. So it's very unlikely that a new server
install is going
to come up on your net vulnerable.
Moreso, some of the old virus stuff and the like would
probably be good for
that list. It'll be a tedious job to go through and do so,
but it might be
worthwhile.
What are people's thoughts on that? Would many use such a
list to pair down
their ruleset?
Matt
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthr
eats.com
--------------------------------------------
PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
|
| RE: Obsolete sigs |
United States |
2007-06-19 19:57:34 |
Moving them to bleeding-obsolete.rules, but still enabled??
Shirkdog
' or 1=1--
http://www.shirkdog.us
>From: "Matt Jonkman" <jonkmanbleedingthreats.net>
>Reply-To: Bleeding Sigs <bleeding-sigsbleedingthreats.net>
>To: "'Bleeding Sigs'" <bleeding-sigsbleedingthreats.net>
>Subject: [Bleeding-sigs] Obsolete sigs
>Date: Wed, 20 Jun 2007 09:04:01 +1000
>
>A question on snort-sigs reminded me of something that's
been in the back
>of
>my mind for a while.
>
>What if we were to start a list of older signatures that
are completely
>obsoleted. Then distribute that list of sids to allow
local users to drop
>those.
>
>I'm talking about completely unquestionably absolutely
useless sigs. They
>may be good sigs, but the threat is so minimal that a
person with a well
>loaded sensor could drop those sigs.
>
>Examples off of the top of my head would be Code Red
sigs. Not only is code
>red pretty much gone, but the default install of IIS
that's vulnerable is
>obsoleted as well. So it's very unlikely that a new
server install is going
>to come up on your net vulnerable.
>
>Moreso, some of the old virus stuff and the like would
probably be good for
>that list. It'll be a tedious job to go through and do
so, but it might be
>worthwhile.
>
>What are people's thoughts on that? Would many use such
a list to pair down
>their ruleset?
>
>Matt
>
>
>--------------------------------------------
>Matthew Jonkman
>Bleeding Edge Threats
>765-429-0398
>http://www.bleedingthr
eats.com
>--------------------------------------------
>
>PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
>
>_______________________________________________
>Bleeding-sigs mailing list
>Bleeding-sigsbleedingthreats.net
>http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
____________________________________________________________
_____
Get a preview of Live Earth, the hottest event this summer -
only on MSN
http://liveearth.msn.com?source=msntaglineliveearthhm
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
|
| RE: Obsolete sigs |
 
Canada |
2007-06-20 08:32:10 |
It would be worthwhile to prune obsolete sigs (to simplify,
to free up cpu).
And it would be wise to maintain an archive of some sort so
we can learn
from them. I like the idea of bleeding-obsolete.sigs
(there's enough in the
msg to categorize the issue).
Ps. In existing sigs we have lots of '^#alert' lines, are
they defacto
obsolete sigs?
-----Original Message-----
From: bleeding-sigs-bouncesbleedingthreats.net
[mailto:bleeding-sigs-bouncesbleedingthreats.net] On
Behalf Of Matt Jonkman
Sent: June 19, 2007 7:04 PM
To: 'Bleeding Sigs'
Subject: [Bleeding-sigs] Obsolete sigs
A question on snort-sigs reminded me of something that's
been in the back of
my mind for a while.
What if we were to start a list of older signatures that are
completely
obsoleted. Then distribute that list of sids to allow local
users to drop
those.
I'm talking about completely unquestionably absolutely
useless sigs. They
may be good sigs, but the threat is so minimal that a person
with a well
loaded sensor could drop those sigs.
Examples off of the top of my head would be Code Red sigs.
Not only is code
red pretty much gone, but the default install of IIS that's
vulnerable is
obsoleted as well. So it's very unlikely that a new server
install is going
to come up on your net vulnerable.
Moreso, some of the old virus stuff and the like would
probably be good for
that list. It'll be a tedious job to go through and do so,
but it might be
worthwhile.
What are people's thoughts on that? Would many use such a
list to pair down
their ruleset?
Matt
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthr
eats.com
--------------------------------------------
PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
|
| Re: Obsolete sigs |
United States |
2007-06-20 20:05:15 |
Reg Quinton wrote:
> It would be worthwhile to prune obsolete sigs (to
simplify, to free up cpu).
> And it would be wise to maintain an archive of some
sort so we can learn
> from them. I like the idea of bleeding-obsolete.sigs
(there's enough in the
> msg to categorize the issue).
Might end up going that way. Have to think some more about
it. I don't
want to let things get cluttered...
>
> Ps. In existing sigs we have lots of '^#alert' lines,
are they defacto
> obsolete sigs?
>
Generally that;s either obsoleted, or had problems with
false positives.
Usually there'll be a note in cvs. It could also be a sigs
thats only
appropriate for certain environments.
Matt
> -----Original Message-----
> From: bleeding-sigs-bouncesbleedingthreats.net
> [mailto:bleeding-sigs-bouncesbleedingthreats.net] On
Behalf Of Matt Jonkman
> Sent: June 19, 2007 7:04 PM
> To: 'Bleeding Sigs'
> Subject: [Bleeding-sigs] Obsolete sigs
>
> A question on snort-sigs reminded me of something
that's been in the back of
> my mind for a while.
>
> What if we were to start a list of older signatures
that are completely
> obsoleted. Then distribute that list of sids to allow
local users to drop
> those.
>
> I'm talking about completely unquestionably absolutely
useless sigs. They
> may be good sigs, but the threat is so minimal that a
person with a well
> loaded sensor could drop those sigs.
>
> Examples off of the top of my head would be Code Red
sigs. Not only is code
> red pretty much gone, but the default install of IIS
that's vulnerable is
> obsoleted as well. So it's very unlikely that a new
server install is going
> to come up on your net vulnerable.
>
> Moreso, some of the old virus stuff and the like would
probably be good for
> that list. It'll be a tedious job to go through and do
so, but it might be
> worthwhile.
>
> What are people's thoughts on that? Would many use such
a list to pair down
> their ruleset?
>
> Matt
>
>
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> 765-429-0398
> http://www.bleedingthr
eats.com
> --------------------------------------------
>
> PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthr
eats.net
--------------------------------------------
PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
|
[1-4]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|