[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Detailed change-logs
From: Jason Williams <jwilliams () emergingthreats ! net>
Date: 2020-03-18 20:19:06
Message-ID: CAPpdu9F5skPSQgNDVPAXDFX8OVpC1tB4GiLOSbbgQa=oHnHk4Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Guilherme,
Good question, and no, we don't publish reasonings, but for the ET OPEN
ruleset there is somewhat of a ledger that is kept of the edits and changes
for each rule. eg. https://docs.emergingthreats.net/bin/view/Main/2024379
The most common reason we disable a rule is that we are no longer seeing it
hit in the wild to the best of our visibility and haven't for some
time, usually years. When a rule is disabled it is simply commented out in
the rule file that it exists in. Anyone pulling the rules can use a rule
management tool such as suricata-update or pulled pork to enable/disable
rules as they see fit for their environment. When a rule is deleted it goes
into the DELETED.rules file, so nothing should be completely lost. It is
very infrequent that we completely delete a rule. The most common reason
for modifications is that we simply learned something new about the traffic
after we published it. Negating things that cause false positives,
tightening or loosening detection logic based on time and observed traffic
for the particular rule. Some rules just require frequent modifications,
such as rules looking for outdated java or some sort of web plugin.
Thanks,
Jason
On Wed, Mar 18, 2020 at 11:51 AM Guilherme Afonso Galindo Padilha <
gagp@cin.ufpe.br> wrote:
> Hello everyone,
>
> I'd like to know if there are more detailed change-logs with the reason of
> the modifications/removal of rules.
>
> If there's no such thing, could you inform me what's the most common
> reason for the frequent modifications?
>
> Thanks,
> Guilherme
> --
> Guilherme Afonso Galindo Padilha
> Bachelor's degree in Computer Science - Undergraduate (2016.2)
> CIn - UFPE
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Guilherme,<br style="user-select: auto;"><div style="user-select: \
auto;"><br style="user-select: auto;"></div><div style="user-select: auto;">Good \
question, and no, we don't publish reasonings, but for the ET OPEN ruleset there \
is somewhat of a ledger that is kept of the edits and changes for each rule. eg. <a \
href="https://docs.emergingthreats.net/bin/view/Main/2024379" style="user-select: \
auto;">https://docs.emergingthreats.net/bin/view/Main/2024379</a></div><div \
style="user-select: auto;"><br style="user-select: auto;"></div><div \
style="user-select: auto;">The most common reason we disable a rule is that we are no \
longer seeing it hit in the wild to the best of our visibility and haven't for \
some time, usually years. When a rule is disabled it is simply commented out in the \
rule file that it exists in. Anyone pulling the rules can use a rule management tool \
such as suricata-update or pulled pork to enable/disable rules as they see fit for \
their environment. When a rule is deleted it goes into the DELETED.rules file, so \
nothing should be completely lost. It is very infrequent that we completely delete a \
rule. The most common reason for modifications is that we simply learned something \
new about the traffic after we published it. Negating things that cause false \
positives, tightening or loosening detection logic based on time and observed traffic \
for the particular rule. Some rules just require frequent modifications, such as \
rules looking for outdated java or some sort of web plugin.</div><div \
style="user-select: auto;"><br style="user-select: auto;"></div><div \
style="user-select: auto;">Thanks,</div><div style="user-select: auto;"><br \
style="user-select: auto;"></div><div style="user-select: \
auto;">Jason</div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, Mar 18, 2020 at 11:51 AM Guilherme Afonso Galindo Padilha \
<<a href="mailto:gagp@cin.ufpe.br">gagp@cin.ufpe.br</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello \
everyone, <br>
<br>I'd like to know if there are more detailed change-logs with the reason
of the modifications/removal of rules.
<br>
<br>If there's no such thing, could you inform me what's the most common
reason for the frequent modifications?
<br>
<br>Thanks,
<br>Guilherme
<br>-- <br><div dir="ltr"><div dir="ltr"><div><div>Guilherme Afonso Galindo \
Padilha<br></div>Bachelor's degree in Computer Science - Undergraduate \
(2016.2)<br></div>CIn - UFPE<br></div></div></div> \
_______________________________________________<br> Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
</blockquote></div>
[Attachment #6 (text/plain)]
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic