[Snort-devel] Signature Quality Rules
hoagland at ...60...
Thu Feb 22 13:21:15 EST 2001
>Well... I have been doing quite a bit of work validating the snort rules
>in the current database, and I have a broad decision question for yall.
>Most of our WEB-CGI rules just list the program, such as
>"/cgi-bin/count.cgi" and do not include a signature for the actual
>I prepose that we move all of these "program names" into one rule.
A 2nd note.
Have you considered what impact this change would have on the ability
to include the reference information in the rule? For example,
"reference:arachnids,251;" being able to be included in the rule.
This information is being used by spo_idmef and is increasingly being
included in the rules (sometimes instead of the old ugly IDSxxx info
in the msg field.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...60... *|
|* http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (707) 445-4222 *|
More information about the Snort-devel