[Snort-devel] Signature Quality Rules

Martin Roesch roesch at ...48...
Fri Feb 23 00:26:28 EST 2001


Let's hold off breaking Snortsnarf until after 1.7.1 ships, I want to
get a new stable/bugfixed version out there to clean up the stuff from
the 1.7 release.  After we do that we can talk about all this stuff in
the 2.0 development stage.

    -Marty

Brian Caswell wrote:
> 
> James Hoagland wrote:
> >
> > >Well... I have been doing quite a bit of work validating the snort rules
> > >in the current database, and I have a broad decision question for yall.
> > >
> > >Most of our WEB-CGI rules just list the program, such as
> > >"/cgi-bin/count.cgi" and do not include a signature for the actual
> > >attempt.
> > >
> > >I prepose that we move all of these "program names" into one rule.
> >
> > Brian,
> >
> > A 2nd note.
> >
> > Have you considered what impact this change would have on the ability
> > to include the reference information in the rule?  For example,
> > "reference:arachnids,251;" being able to be included in the rule.
> > This information is being used by spo_idmef and is increasingly being
> > included in the rules (sometimes instead of the old ugly IDSxxx info
> > in the msg field.
> 
> Yeah, that hit me last night.  I guess what I am looking for is a deeper
> snort rule configuration.  something akin to
> 
> alert tcp $EXTERNAL any -> $HOME_NET 80 ( msg:"WEB "; flags:A+; \
>    [ msg:"PHF attempt"; content:"/cgi-bin/phf?Qalias=x%0a";],
>    [ msg:"PHF access"; content:"/cgi-bin/phf"; ]
>    nocase; reference:cve,CVE-1999-0067;)
> 
> >From what I read of Marty's LISA paper, similar rules are munged
> together, so it would not change the rule chains any, but it would make
> keeping accurate rules easier.
> 
> --
> Brian Caswell
> The MITRE Corporation
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list