[Snort-sigs] FW: Signature Database
bking at ...2422...
Tue Apr 27 07:56:14 EDT 2004
I agree that it is good to share sigs as opposed to duplicating our efforts.
Then we can spend more time making our signatures better; better documented,
more accurate, etc. There could be a -CURRENT branch like freeBSD with
bleeding edge sigs. Then the only question is "why not snort.org?". Would
snort.org simply be duplicating your effort? Would we be splintering our
resources by creating another sig site? To be completely up to date, would
we need to compile signatures from several different places?
From: James Ashton
Sent: Tuesday, April 27, 2004 9:52 AM
To: King, Brian
Subject: RE: [Snort-sigs] FW: Signature Database
While I certainly DON'T want to detract from the sig base on snort.org I
must say that for me, it is always a LITTLE behind where I would like it. I
am hoping that by having a Sig Database that we all keep current with the
sigs that we write then everyone can have a little more chance of catching
something that they might have otherwise missed.
I monitor a network with over 60 servers and over 10,000 IPs. I have
200Mb/s being sniffed and with the various OSs that I have my sig-base is
pretty large... in order to make IDS useful to me I need to keep the
sig-base as up to date as possible with as many of the new worm and exploit
sigs in the base as possible and as few of the sigs that don't apply to me.
In my environment it is very difficult to know what is an attack and what is
user stupidity, so this up to date-ness is very important to me. That's why
I thought that this needed to be done. Not
to replace the snort sig-base but to allow myself and the others that
need it to more easily keep up to date... this way if I write a good sig
for something you don't kneed to write the same thing.. you can just use
mine... etc. I think we all write custom sigs... that is the point of
having the local.rules file..... this just makes it easier.
More information about the Snort-sigs