100%(1)1 out of 1 people found this document helpful
This preview shows page 24 - 29 out of 29 pages.
specifies how many packets to leave the rule enabled for after activatedreplaceReplaces matching content with the given string of the same lengthdetection_filterTracks by source or destination IP address and if the rule otherwise matches more than the configured rate it will fire
•Talos snort rules–Community Rules•Free to all and licensed under GPLv2•Submitted by the open source community or Snort integrators•Certified by Talos–Registered•Snort Subscriber rules•Free but register with the snort.org site•Available 30 days after Subscribers–Subscribers•Snort Subscribers Rules•Not free but available immediatelySnort Rule Repositories
•Proofpoint Snort rules–Emerging Threats Open rules•Free to all•Contains a subset of the ET Pro rules–Emerging Threats Pro rules•Not free•Rules updated dailySnort Rule Repositories
•Write rules that target the vulnerability, not the specific exploit–i.e. look for the vulnerable command with an argument that is too large, instead of shellcode that binds to a port•By writing rules for the vulnerability, the rule is less vulnerable to evasion when an attacker changes the exploit slightly•User-defined rule–Rules that an end user writes specifically for their environment–Typically not contributed back to the open source community–Uses sid between 1,000,000 and 1,999,999 to not overlap existing rule setsWriting Custom Snort Rules