Thanks for your feedback! You clearly show experience in managing IDS. On 05/02/2012 12:28 PM, Rich Graves wrote: > None/all of the above. > > If you're going to do this, you could get the broadest reach with a regular > expression match of the alert. I could imagine an organization other than > mine blacklisting clients based on / ET (P2P|POLICY) .+Priority: 1/, for > example.
Providing a regex-match would be useful but I'm afraid it's a little complex for end-users and it would have to be crippled because we already use the comma to split the triggers and so it would need to be escaped if trying to match but comma aren't escaped in normal regex.. leading to more confusion. Since you can combine triggers, something more simple like snort-ruleset::ET Policy:1,snort-ruleset::ET P2P:1 to accomplish a similar goal. Where the 1 would be the priority. I know it's a though call. I know how to write regex but most people don't and I'm thinking about them for the trigger formats. snort-ruleset-regex could still exist for the power users though. However there are security implication with user-controlled regexes but in this case it's administrator-controlled so I'm not too concerned. > > VRT is 90% done changing the classification of most rules. ET went through a > similar mass reclassification a couple years ago. This doesn't mean that > classifications are not useful -- it just means that you'd have to pay > attention when they change. Do you know if the priority similar to the classifications in the way that they can change and that their meaning can't be relied upon too much? > > I don't think I would ever use such a feature. False positives are too high > with new rules. Consider reviewing your snort alerts in something like > Snorby, Placid, or Aanval instead, and archive everything to ELSA. If you see > something interesting, create a generic malware violation manually. > Agreed but you could arguably do the same thing from within packetfence. You only log violations at first, comment the noisy rules and then once you feel in control, open the gates to mass isolation. > High-confidence proprietary VRT rules have this sort of thing in the rule > file: > > metadata:policy balanced-ips drop, policy security-ips drop; > > SourceFire appliances use that for default policy, based on VRT's estimation > of the risk/reward. Most rules are alert only. The suggested action appears > only in the rule, not in the alert message. -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
