Author: Joel Esler
(As a reminder, the "Balanced" policy is the default shipping state of the Snort Subscriber Rule Set (Talos Rule Set) for Open Source Snort)
The "Maximum Detection" policy favors detection over rated throughput. In some situations this policy can and will cause significant throughput reductions. Cisco's Talos continues to recommend the "Balanced Connectivity and Security" policy for most networks, and the "Security Over Connectivity" policy for customers with more rigorous security requirements.
All new rules are placed into the policies based on these criteria. Every year during the third quarter of the year, the policies will be re-assessed and rules from previous years, as the vulnerabilities age, will be removed from the policy to keep the policy compliant with our temporal selection criteria. Thus, in the third quarter of 2016, the rules from 2014 will be removed from the “Connectivity over Security” and “Balanced” policies while the rules from 2013 will be removed from the “Security over Connectivity” policy. If rules move between categories, their presence in policies will also be decided based on the category selection process. Likewise, should the CVSS score change for a particular vulnerability that is covered by a rule, it’s presence in a policy based on the CVSS metric is also re-assessed.
Rules in the listed policies are evaluated on a rule by rule basis. There will be some rules that are older and not in the criteria above that will be in the default policies. The above is the selection criteria for default rules, and is always subject to change based upon the threat landscape, the analysis of the vulnerability or bug, and potential false positive rate.