IPS/IDS Coverage & Snort Rules

Talosintelligence.com now allows users to submit a PCAP associated with a Snort IPS false positive (when users receive an alert on traffic that is not actually malicious or unwanted). Users can also report malicious traffic that does not have current coverage if they have a relevant CVE. This helps Talos Analysts create more specific rules, to alert only on legitimate malicious traffic or cover holes in IPS coverage.

Coverage Requests

Talos creates and publishes coverage based on its value to all of our customers. We accept coverage requests for CVEs released within the last three years, with a CVSS 3.0 score of 8.0 or higher, and for which the attack vector is NETWORK (this information can be verified at https://nvd.nist.gov). Exceptions MAY be made on a case-by-case basis for high impact vulnerabilities which do not meet this criteria (ex. HeartBleed).

Coverage requests without CVEs are acceptable if actionable data can be provided, such as a proof of concept, a PCAP of the events or other applicable research data. Custom coverage requests for rules that aren’t generally applicable to Cisco customers should be referred to the Cisco Customer Experience team.

Talos defines coverage as the ability to block or alert for specific malicious behavior. We provide full coverage when we can offer visibility (show when an event is happening) and/or prevent the activity from happening.

How do I make a PCAP?

For Windows, Android, and Linux operating systems, see this guide. Wireshark can be used in Windows environments, while Linux and macOS use tcpdump. For a detailed macOS guide, see this.