What do the base policies mean?

Additional Resources

Author: Joel Esler


Connectivity over Security Base Policy:

CVSS Score must be 10
Age of the vulnerability:
Current year (2016 for example)
Last year (2015 in this example)
Year before last (2014 in this example)
Rule Category
Not used for this policy

Balanced Base Policy:

(As a reminder, the "Balanced" policy is the default shipping state of the Snort Subscriber Rule Set (Talos Rule Set) for Open Source Snort)

CVSS Score 9 or greater
Age of the vulnerability:
Current year (2016 for example)
Last year (2015 in this example)
Year before last (2014 in this example)
Rule Category
Malware-Cnc
Blacklist
SQL Injection
Exploit-kit
Includes rules in the Connectivity Ruleset

Security over Connectivity Base Policy:

CVSS Score 8 or greater
Age of the vulnerability:
Current year (2016 for example)
Last year (2015 in this example)
Year before last (2014 in this example)
Year prior (2013 in this example)
Rule Category
Malware-Cnc
Blacklist
SQL Injection
Exploit-kit
App-detect
Includes rules in the Balanced and Connectivity Ruleset

Max-Detect (Maximum Detection) Base Policy:

CVSS Score of 7.5 or greater
Age of the Vulnerability:
2005 or greater
Rule Category
Malware-CnC
Exploit-kit
Includes rules in the Security, Balanced, and Connectivity Ruleset

The "Maximum Detection" policy favors detection over rated throughput. In some situations this policy can and will cause significant throughput reductions. Cisco's Talos continues to recommend the "Balanced Connectivity and Security" policy for most networks, and the "Security Over Connectivity" policy for customers with more rigorous security requirements.

All new rules are placed into the policies based on these criteria. Every year during the third quarter of the year, the policies will be re-assessed and rules from previous years, as the vulnerabilities age, will be removed from the policy to keep the policy compliant with our temporal selection criteria. Thus, in the third quarter of 2016, the rules from 2014 will be removed from the “Connectivity over Security” and “Balanced” policies while the rules from 2013 will be removed from the “Security over Connectivity” policy. If rules move between categories, their presence in policies will also be decided based on the category selection process. Likewise, should the CVSS score change for a particular vulnerability that is covered by a rule, it’s presence in a policy based on the CVSS metric is also re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis. There will be some rules that are older and not in the criteria above that will be in the default policies. The above is the selection criteria for default rules, and is always subject to change based upon the threat landscape, the analysis of the vulnerability or bug, and potential false positive rate.