quinta-feira, 23 de dezembro de 2010

Emerging Threats x VRT Rules - Enable versus Classtype

Playing with bot ruleset I start to analyze some differences between them in special enable x disable rules based on classtype or category . As base I'm using VRT tarball from Nov 23th and ET emerging-all from Dec 22nd .


About VRT (I only analyzed plain-text rules):


Total Plain-text Rules: 16301
Total Enable: 4597
Total Disable: 11704


Enable rules x Category/Classtype


   1370 Status: Enable Category: attempted-user
    925 Status: Enable Category: misc-activity
    646 Status: Enable Category: trojan-activity
    419 Status: Enable Category: attempted-admin
    287 Status: Enable Category: successful-recon-limited
    249 Status: Enable Category: protocol-command-decode
    114 Status: Enable Category: attempted-dos
    111 Status: Enable Category: misc-attack
    108 Status: Enable Category: rpc-portmap-decode
    106 Status: Enable Category: policy-violation
     77 Status: Enable Category: attempted-recon
     42 Status: Enable Category: shellcode-detect
     34 Status: Enable Category: bad-unknown
     32 Status: Enable Category: web-application-attack
     16 Status: Enable Category: denial-of-service
     13 Status: Enable Category: suspicious-filename-detect
     12 Status: Enable Category: suspicious-login
     10 Status: Enable Category: unsuccessful-user
      6 Status: Enable Category: web-application-activity
      5 Status: Enable Category: successful-admin
      4 Status: Enable Category: system-call-detect
      4 Status: Enable Category: string-detect
      4 Status: Enable Category: network-scan
      1 Status: Enable Category: unknown
      1 Status: Enable Category: successful-user
      1 Status: Enable Category: not-suspicious


General Category/Classtype


   3764  attempted-user
   3612  attempted-admin
   3516  protocol-command-decode
   1228  misc-activity
   1119  trojan-activity
    520  web-application-activity
    425  web-application-attack
    358  attempted-recon
    328  bad-unknown
    308  successful-recon-limited
    301  policy-violation
    266  attempted-dos
    198  misc-attack
    133  rpc-portmap-decode
     67  shellcode-detect
     35  suspicious-filename-detect
     32  denial-of-service
     19  suspicious-login
     15  not-suspicious
     12  unsuccessful-user
      9  successful-admin
      8  non-standard-protocol
      6  default-login-attempt
      5  system-call-detect
      5  network-scan
      4  unknown
      4  string-detect
      3  unusual-client-port-connection
      1  successful-user


About ET 


Total Plain-text Rules: 11517
Total Enable: 9644
Total Disable: 1873


Enable rules x Category/Classtype


   5049 Status: Enable Category: web-application-attack
   1617 Status: Enable Category: trojan-activity
    474 Status: Enable Category: attempted-user
    376 Status: Enable Category:  trojan-activity
    339 Status: Enable Category: protocol-command-decode
    295 Status: Enable Category: attempted-admin
    265 Status: Enable Category: policy-violation
    206 Status: Enable Category:  policy-violation
    176 Status: Enable Category: attempted-recon
    167 Status: Enable Category: bad-unknown
    102 Status: Enable Category: misc-attack
     81 Status: Enable Category: misc-activity
     81 Status: Enable Category: attempted-dos
     80 Status: Enable Category: rpc-portmap-decode
     54 Status: Enable Category: web-application-activity
     40 Status: Enable Category:  misc-activity
     32 Status: Enable Category:  web-application-attack
     30 Status: Enable Category: shellcode-detect
     16 Status: Enable Category: denial-of-service
     16 Status: Enable Category:  attempted-recon
     13 Status: Enable Category: not-suspicious
     12 Status: Enable Category: suspicious-filename-detect
     12 Status: Enable Category:  attempted-admin
     11 Status: Enable Category: unsuccessful-user
     11 Status: Enable Category:  misc-attack
     10 Status: Enable Category: successful-admin
     10 Status: Enable Category:  string-detect
     10 Status: Enable Category:  attempted-dos
      9 Status: Enable Category: suspicious-login
      5 Status: Enable Category: default-login-attempt
      4 Status: Enable Category: unknown
      4 Status: Enable Category:  suspicious-login
      4 Status: Enable Category: successful-user
      4 Status: Enable Category: non-standard-protocol
      4 Status: Enable Category: network-scan
      3 Status: Enable Category:  web-application-activity
      3 Status: Enable Category: system-call-detect
      3 Status: Enable Category: successful-recon-limited
      3 Status: Enable Category: successful-dos
      3 Status: Enable Category:  bad-unknown
      2 Status: Enable Category: unusual-client-port-connection
      2 Status: Enable Category:  not-suspicious
      1 Status: Enable Category:  successful-admin
      1 Status: Enable Category: string-detect
      1 Status: Enable Category:  shellcode-detect
      1 Status: Enable Category:  denial-of-service
      1 Status: Enable Category:  attempted-user


General Category/Classtype


   5213  web-application-attack
   1799  trojan-activity
    643  attempted-user
    568  policy-violation
    410   trojan-activity
    384  protocol-command-decode
    373  attempted-admin
    300  misc-activity
    276  attempted-recon
    268   policy-violation
    238  bad-unknown
    137  shellcode-detect
    136  attempted-dos
    134  misc-attack
     95  web-application-activity
     88  rpc-portmap-decode
     80   misc-activity
     39  not-suspicious
     36   web-application-attack
     27  successful-user
     25   attempted-recon
     20  unusual-client-port-connection
     17   misc-attack
     17  denial-of-service
     16  suspicious-filename-detect
     16   attempted-admin
     14  successful-admin
     13   attempted-dos
     12   bad-unknown
     11  unsuccessful-user
     11  unknown
     11  suspicious-login
     11   string-detect
     10   not-suspicious
     10  non-standard-protocol
      7  default-login-attempt
      5  system-call-detect
      5  successful-recon-limited
      5  network-scan
      4   web-application-activity
      4   suspicious-login
      4   suspicious-filename-detect
      4   shellcode-detect
      4   attempted-user
      3  successful-dos
      2  string-detect
      2   denial-of-service
      1   successful-admin
      1   non-standard-protocol


In summary:


- ET has almost double rules enable by default
- VRT most enable rules focus on attempted-user
- ET most enable rules focus on web-application-attack and trojan-activity
- Rules from ET and VRT target different protections what you should analyze where you will seat your sensor for best decision or using both and mixing them


I just did some basic scripting and my numbers could not be accurate but it's a good base .


Happy Snorting!


Rodrigo Montoro (Sp0oKeR)