[Emerging-Sigs] Detailed change-logs

Jason Williams jwilliams at emergingthreats.net
Wed Mar 18 11:19:06 HDT 2020


Good question, and no, we don't publish reasonings, but for the ET OPEN
ruleset there is somewhat of a ledger that is kept of the edits and changes
for each rule. eg. https://docs.emergingthreats.net/bin/view/Main/2024379

The most common reason we disable a rule is that we are no longer seeing it
hit in the wild to the best of our visibility and haven't for some
time, usually years. When a rule is disabled it is simply commented out in
the rule file that it exists in. Anyone pulling the rules can use a rule
management tool such as suricata-update or pulled pork to enable/disable
rules as they see fit for their environment. When a rule is deleted it goes
into the DELETED.rules file, so nothing should be completely lost. It is
very infrequent that we completely delete a rule. The most common reason
for modifications is that we simply learned something new about the traffic
after we published it. Negating things that cause false positives,
tightening or loosening detection logic based on time and observed traffic
for the particular rule. Some rules just require frequent modifications,
such as rules looking for outdated java or some sort of web plugin.



On Wed, Mar 18, 2020 at 11:51 AM Guilherme Afonso Galindo Padilha <
gagp at cin.ufpe.br> wrote:

> Hello everyone,
> I'd like to know if there are more detailed change-logs with the reason of
> the modifications/removal of rules.
> If there's no such thing, could you inform me what's the most common
> reason for the frequent modifications?
> Thanks,
> Guilherme
> --
> Guilherme Afonso Galindo Padilha
> Bachelor's degree in Computer Science - Undergraduate (2016.2)
> CIn - UFPE
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200318/8664913a/attachment-0001.html>

More information about the Emerging-sigs mailing list