[Snort-sigs] Snort Sigs and RealSecure

Erek Adams erek at ...101...
Tue May 7 22:42:03 EDT 2002

On Tue, 7 May 2002, Alan Armstrong wrote:

> Hello everyone,

Hello Al!

> I am not very familiar with Snort signatures and rules.

Well...  Welcome to the wonderful world of Snort and it's Sigs.

> Is anyone using Snort and RealSecure? I am wondering if most Snort
> signatures can be translated into RealSecure user defined events? Does
> anyone already do this and have a collection of user defined RealSecure
> events created from snort signatures?  Perhaps someone has a list of most
> popular/current worm/virus signatures that could be translated into
> RealSecure user defined events?
> Many thanks in advance.

Al, you pose some good questions, but let me try to throw a bit of a different
light on thm for you....

  If you went to a MicroSoft mailing list and asked for someone to devlop a
"Linux Emulator", what do you think the response would be?  Probablly a bit
less than nice...  :-/ Keep in mind that these two prodcuts are in the same
competitive space.  In all honesty, rather doubt that anyone on this list has
_any_ urge to convert snort *.rules into anything for ISS products.  Heh, in
fact we've got signatures to _detect_ Realsecure already in the distro. :)

It's agreed that using different methods of NIDS technologies on your net is a
_good_ idea, but it's a rather long shot that someone here would 'care' enough
about RS to want to do that.

If the person running your RS sensor understands how to use the user defined
events, they should be able to figure out the snort .rules 'language'.  It's
fairly simplsitic, without a lot of cruft to make it 'cumbersome' (N-code
anyone? ;-> )

I'm not trying to being a jerk, just a realist.


Erek Adams

More information about the Snort-sigs mailing list