[Snort-sigs] Few posistives on several rules on POP3

Erek Adams erek at ...95...
Wed Oct 22 20:17:02 EDT 2003


On Wed, 22 Oct 2003, Jacob Roberts wrote:

>
> I posted with the same question but got little response.  I am starting
> to get the feeling that the recommended solutions to these types of rule
> problems are:
> 	1.  Turn the rule off
> 	2.  Use some sort of ignore rule or BPF
> 	3.  Use thresholding so you don't see so many false positives (you
> won't see the true positives either in many cases)
>
> This seems like the wrong attitude to me.
>
> Shouldn't we be concerned with improving the sigs so they detect the
> correct packets and not produce so many false positives.  Isn't snort
> only as powerful/useful as the ruleset you are using with it? I know
> that's not entirely true but what good is a really powerful matching
> engine that always matches everything because the matching rules are
> poorly written?
>
> It seems like we need some sort of signature/rule user system for
> creating, improving, replacing, repairing, etc.  Suppose I fix my rules,
> how do I get those submitted, tested, approved and whatever else so all
> the other snort users can get them too?
>
> Right now people can post them here, but searching the list archives for
> a sig update isn't very effective.  Is there some other method that I am
> unaware of?

A couple of things to keep in mind:

	* If you're using the default rules, you're probably not running
in a 'real environment'.
	* Write your own rules.

Now, let me explain those in a bit more detail:

*  The default rules are just that "default".  They aren't perfect, nor
are they intended to be.  They are written with the 'shotgun' theory in
mind.  Aim to hit the middle of the target, and you'll get about 75% of
the goal.  The goal with those rules are to provide a _base_ from where
you can write and build your own.  There's quite a few signatures that
could be improved, but for the most part, those sigs would be better
rewritten specifically for your setup.  Think of it like the default
Solaris inetd.conf--It's there and it works, but you're _much_ better off
to rework it for your self.  Same idea here.  If you don't like the way
that a sig works--Change it.  It's that simple.

* Writing your own rules:  See above. :)  Design your own rules for your
own network.  It's not that hard, it's just that most people don't want to
take the time to write rules.  They would rather make use of the generic
default sigs than to build specific ones for their own network.

Now please don't think that I'm "coming down on you."  I'm just explaining
what I asked years ago as it was explained to me. :)

As for the submission of rules and updates....  That would be something
that the 'Keeper of The Rules' would be better suited to answer. :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list