[Snort-sigs] FW: Signature Database
James at ...2424...
Tue Apr 27 07:01:04 EDT 2004
While I certainly DON'T want to detract from the sig base on snort.org I
must say that for me, it is always a LITTLE behind where I would like
it. I am hoping that by having a Sig Database that we all keep current
with the sigs that we write then everyone can have a little more chance
of catching something that they might have otherwise missed.
I monitor a network with over 60 servers and over 10,000 IPs. I have
200Mb/s being sniffed and with the various OSs that I have my sig-base
is pretty large... in order to make IDS useful to me I need to keep the
sig-base as up to date as possible with as many of the new worm and
exploit sigs in the base as possible and as few of the sigs that don't
apply to me. In my environment it is very difficult to know what is an
attack and what is user stupidity, so this up to date-ness is very
important to me. That's why I thought that this needed to be done. Not
to replace the snort sig-base but to allow myself and the others that
need it to more easily keep up to date... this way if I write a good
sig for something you don't kneed to write the same thing.. you can just
use mine... etc. I think we all write custom sigs... that is the point
of having the local.rules file..... this just makes it easier.
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Brian King
Sent: Tuesday, April 27, 2004 9:11 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] FW: Signature Database
I failed to mention that whitehats has (what looks like) a good webform
submitting signatures: http://www.whitehats.com/ids/submit.html .
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs