Playing with bot ruleset I start to analyze some differences between them in special enable x disable rules based on classtype or category . As base I'm using VRT tarball from Nov 23th and ET emerging-all from Dec 22nd .
About VRT (I only analyzed plain-text rules):
Total Plain-text Rules: 16301
Total Enable: 4597
Total Disable: 11704
Enable rules x Category/Classtype
1370 Status: Enable Category: attempted-user
925 Status: Enable Category: misc-activity
646 Status: Enable Category: trojan-activity
419 Status: Enable Category: attempted-admin
287 Status: Enable Category: successful-recon-limited
249 Status: Enable Category: protocol-command-decode
114 Status: Enable Category: attempted-dos
111 Status: Enable Category: misc-attack
108 Status: Enable Category: rpc-portmap-decode
106 Status: Enable Category: policy-violation
77 Status: Enable Category: attempted-recon
42 Status: Enable Category: shellcode-detect
34 Status: Enable Category: bad-unknown
32 Status: Enable Category: web-application-attack
16 Status: Enable Category: denial-of-service
13 Status: Enable Category: suspicious-filename-detect
12 Status: Enable Category: suspicious-login
10 Status: Enable Category: unsuccessful-user
6 Status: Enable Category: web-application-activity
5 Status: Enable Category: successful-admin
4 Status: Enable Category: system-call-detect
4 Status: Enable Category: string-detect
4 Status: Enable Category: network-scan
1 Status: Enable Category: unknown
1 Status: Enable Category: successful-user
1 Status: Enable Category: not-suspicious
General Category/Classtype
3764 attempted-user
3612 attempted-admin
3516 protocol-command-decode
1228 misc-activity
1119 trojan-activity
520 web-application-activity
425 web-application-attack
358 attempted-recon
328 bad-unknown
308 successful-recon-limited
301 policy-violation
266 attempted-dos
198 misc-attack
133 rpc-portmap-decode
67 shellcode-detect
35 suspicious-filename-detect
32 denial-of-service
19 suspicious-login
15 not-suspicious
12 unsuccessful-user
9 successful-admin
8 non-standard-protocol
6 default-login-attempt
5 system-call-detect
5 network-scan
4 unknown
4 string-detect
3 unusual-client-port-connection
1 successful-user
About ET
Total Plain-text Rules: 11517
Total Enable: 9644
Total Disable: 1873
Enable rules x Category/Classtype
5049 Status: Enable Category: web-application-attack
1617 Status: Enable Category: trojan-activity
474 Status: Enable Category: attempted-user
376 Status: Enable Category: trojan-activity
339 Status: Enable Category: protocol-command-decode
295 Status: Enable Category: attempted-admin
265 Status: Enable Category: policy-violation
206 Status: Enable Category: policy-violation
176 Status: Enable Category: attempted-recon
167 Status: Enable Category: bad-unknown
102 Status: Enable Category: misc-attack
81 Status: Enable Category: misc-activity
81 Status: Enable Category: attempted-dos
80 Status: Enable Category: rpc-portmap-decode
54 Status: Enable Category: web-application-activity
40 Status: Enable Category: misc-activity
32 Status: Enable Category: web-application-attack
30 Status: Enable Category: shellcode-detect
16 Status: Enable Category: denial-of-service
16 Status: Enable Category: attempted-recon
13 Status: Enable Category: not-suspicious
12 Status: Enable Category: suspicious-filename-detect
12 Status: Enable Category: attempted-admin
11 Status: Enable Category: unsuccessful-user
11 Status: Enable Category: misc-attack
10 Status: Enable Category: successful-admin
10 Status: Enable Category: string-detect
10 Status: Enable Category: attempted-dos
9 Status: Enable Category: suspicious-login
5 Status: Enable Category: default-login-attempt
4 Status: Enable Category: unknown
4 Status: Enable Category: suspicious-login
4 Status: Enable Category: successful-user
4 Status: Enable Category: non-standard-protocol
4 Status: Enable Category: network-scan
3 Status: Enable Category: web-application-activity
3 Status: Enable Category: system-call-detect
3 Status: Enable Category: successful-recon-limited
3 Status: Enable Category: successful-dos
3 Status: Enable Category: bad-unknown
2 Status: Enable Category: unusual-client-port-connection
2 Status: Enable Category: not-suspicious
1 Status: Enable Category: successful-admin
1 Status: Enable Category: string-detect
1 Status: Enable Category: shellcode-detect
1 Status: Enable Category: denial-of-service
1 Status: Enable Category: attempted-user
General Category/Classtype
5213 web-application-attack
1799 trojan-activity
643 attempted-user
568 policy-violation
410 trojan-activity
384 protocol-command-decode
373 attempted-admin
300 misc-activity
276 attempted-recon
268 policy-violation
238 bad-unknown
137 shellcode-detect
136 attempted-dos
134 misc-attack
95 web-application-activity
88 rpc-portmap-decode
80 misc-activity
39 not-suspicious
36 web-application-attack
27 successful-user
25 attempted-recon
20 unusual-client-port-connection
17 misc-attack
17 denial-of-service
16 suspicious-filename-detect
16 attempted-admin
14 successful-admin
13 attempted-dos
12 bad-unknown
11 unsuccessful-user
11 unknown
11 suspicious-login
11 string-detect
10 not-suspicious
10 non-standard-protocol
7 default-login-attempt
5 system-call-detect
5 successful-recon-limited
5 network-scan
4 web-application-activity
4 suspicious-login
4 suspicious-filename-detect
4 shellcode-detect
4 attempted-user
3 successful-dos
2 string-detect
2 denial-of-service
1 successful-admin
1 non-standard-protocol
In summary:
- ET has almost double rules enable by default
- VRT most enable rules focus on attempted-user
- ET most enable rules focus on web-application-attack and trojan-activity
- Rules from ET and VRT target different protections what you should analyze where you will seat your sensor for best decision or using both and mixing them
I just did some basic scripting and my numbers could not be accurate but it's a good base .
Happy Snorting!
Rodrigo Montoro (Sp0oKeR)