[Snort-sigs] Few posistives on several rules on POP3 + The Ta o of Snort-Sigs

Moyer, Shawn SMoyer at ...758...
Fri Oct 24 01:24:17 EDT 2003

Erek makes good points, as usual, but I can understand Jacob's frustration. An IDS is only as good as its sigs and even default sigs with no tuning still have room for improvement.

I really think that better management of rules submitted via this list would help Snort all around. Yes, we should (and most do) write our own rules, but part of the point of this enterprise of a community-supported application is sharing our resources. 

The Sourcefire folks would serve themselves and the community well by creating a simple web submission form on their website or elsewhere for submitting rule updates and new rules so they could added more efficiently, probably added to the -devel sigs automatically and then to -stable after a suitable testing period -- as it is today it seems like maybe a third of the rules submitted to this list end up in the ruleset. It's a PITA tracking the rules submitted to this list and manually adding sigs to an ever-growing local.rules, and it strikes me as counter to the point of OSS for each of us to work in a vaccuum. 

... and the HST quote is "when the *going* gets weird, the weird turn pro".


(Pro Weirdo)

> -----Original Message-----
> From: Erek Adams [mailto:erek at ...95...]
> Sent: Wednesday, October 22, 2003 9:54 PM
> To: Jacob Roberts
> Cc: snort-sigs at lists.sourceforge.net
> Subject: RE: [Snort-sigs] Few posistives on several rules on POP3
> On Wed, 22 Oct 2003, Jacob Roberts wrote:
> >
> > I posted with the same question but got little response.  I 
> am starting
> > to get the feeling that the recommended solutions to these 
> types of rule
> > problems are:
> > 	1.  Turn the rule off
> > 	2.  Use some sort of ignore rule or BPF
> > 	3.  Use thresholding so you don't see so many false 
> positives (you
> > won't see the true positives either in many cases)
> >
> > This seems like the wrong attitude to me.
> >
> > Shouldn't we be concerned with improving the sigs so they detect the
> > correct packets and not produce so many false positives.  
> Isn't snort
> > only as powerful/useful as the ruleset you are using with it? I know
> > that's not entirely true but what good is a really powerful matching
> > engine that always matches everything because the matching rules are
> > poorly written?
> >
> > It seems like we need some sort of signature/rule user system for
> > creating, improving, replacing, repairing, etc.  Suppose I 
> fix my rules,
> > how do I get those submitted, tested, approved and whatever 
> else so all
> > the other snort users can get them too?
> >
> > Right now people can post them here, but searching the list 
> archives for
> > a sig update isn't very effective.  Is there some other 
> method that I am
> > unaware of?
> A couple of things to keep in mind:
> 	* If you're using the default rules, you're probably not running
> in a 'real environment'.
> 	* Write your own rules.
> Now, let me explain those in a bit more detail:
> *  The default rules are just that "default".  They aren't 
> perfect, nor
> are they intended to be.  They are written with the 'shotgun' 
> theory in
> mind.  Aim to hit the middle of the target, and you'll get 
> about 75% of
> the goal.  The goal with those rules are to provide a _base_ 
> from where
> you can write and build your own.  There's quite a few signatures that
> could be improved, but for the most part, those sigs would be better
> rewritten specifically for your setup.  Think of it like the default
> Solaris inetd.conf--It's there and it works, but you're 
> _much_ better off
> to rework it for your self.  Same idea here.  If you don't 
> like the way
> that a sig works--Change it.  It's that simple.
> * Writing your own rules:  See above. :)  Design your own 
> rules for your
> own network.  It's not that hard, it's just that most people 
> don't want to
> take the time to write rules.  They would rather make use of 
> the generic
> default sigs than to build specific ones for their own network.
> Now please don't think that I'm "coming down on you."  I'm 
> just explaining
> what I asked years ago as it was explained to me. :)
> As for the submission of rules and updates....  That would be 
> something
> that the 'Keeper of The Rules' would be better suited to answer. :)
> Cheers!
> -----
> Erek Adams
>    "When things get weird, the weird turn pro."   H.S. Thompson
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN developer relations
> Here's your chance to show off your extensive product knowledge
> We want to know what you know. Tell us and you have a chance 
> to win $100
> http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list