[Snort-devel] Signature Quality Rules

James Hoagland hoagland at ...60...
Thu Feb 22 13:21:15 EST 2001


>Well... I have been doing quite a bit of work validating the snort rules
>in the current database, and I have a broad decision question for yall.
>
>Most of our WEB-CGI rules just list the program, such as
>"/cgi-bin/count.cgi" and do not include a signature for the actual
>attempt.
>
>I prepose that we move all of these "program names" into one rule.

Brian,

A 2nd note.

Have you considered what impact this change would have on the ability 
to include the reference information in the rule?  For example, 
"reference:arachnids,251;" being able to be included in the rule. 
This information is being used by spo_idmef and is increasingly being 
included in the rules (sometimes instead of the old ugly IDSxxx info 
in the msg field.

Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|




More information about the Snort-devel mailing list