[Snort-sigs] FW: Signature Database

James Ashton James at ...2424...
Tue Apr 27 08:19:10 EDT 2004


I didn't know anyone AT snort.org and I wanted something started and I
was willing to set it up... so I did.
http://www.snort.gitflorida.com/phpBB2/ is a pretty hack job of setting
something Like this up.. Several people have offered to donate time. One
gentleman offered a script to check the sigs and verify that they don't
crash snort.  I am going to talk to him about that and I hope that and
several other ideas people have sent to me get implemented... but I
haven't had time in the day that it has been up to set these things
up....   As for Why not snort.org... well   I think those guys work VERY
hard at it and they still have there day job (granted it is a similar
job for most of them) but I have the resources that are free to me. I,
by no means, want to detract from snort.org but I also want to keep up
to date in a way that they would have to spend a TON of resources to
accomplish. I was hoping to talk to someone over there in the next few
days and see what they thought of this idea and if I could get a link
from there site and maybe some good documentation to post on Sig
testing. I also realize that just posting sigs may not be for everyone..
a lot of people will want to do extensive sig testing. I defiantly know
that a lot of people are looking to get tham fast though   and since
there isn't realy a centralized method for that at the moment          
              I figured I would try to create one......

-----Original Message-----
From: Brian King [mailto:bking at ...2422...] 
Sent: Tuesday, April 27, 2004 10:49 AM
To: snort-sigs at lists.sourceforge.net
Cc: James Ashton
Subject: RE: [Snort-sigs] FW: Signature Database

I agree that it is good to share sigs as opposed to duplicating our
efforts.
Then we can spend more time making our signatures better; better
documented,
more accurate, etc.  There could be a -CURRENT branch like freeBSD with
bleeding edge sigs.  Then the only question is "why not snort.org?".
Would
snort.org simply be duplicating your effort?  Would we be splintering
our
resources by creating another sig site?  To be completely up to date,
would
we need to compile signatures from several different places?  

-Brian

-----Original Message-----
From: James Ashton
Sent: Tuesday, April 27, 2004 9:52 AM
To: King, Brian
Subject: RE: [Snort-sigs] FW: Signature Database


While I certainly DON'T want to detract from the sig base on snort.org I
must say that for me, it is always a LITTLE behind where I would like
it. I
am hoping that by having a Sig Database that we all keep current with
the
sigs that we write then everyone can have a little more chance of
catching
something that they might have otherwise missed. 

 I monitor a network with over 60 servers and over 10,000 IPs. I have
200Mb/s being sniffed and with the various OSs that I have my sig-base
is
pretty large... in order to make IDS useful to me I need to keep the
sig-base as up to date as possible with as many of the new worm and
exploit
sigs in the base as possible and as few of the sigs that don't apply to
me.
In my environment it is very difficult to know what is an attack and
what is
user stupidity, so this up to date-ness is very important to me.  That's
why
I thought that this needed to be done. Not
to replace the snort sig-base   but to allow myself and the others that
need it to more easily keep up to date...  this way if I write a good
sig
for something you don't kneed to write the same thing.. you can just use
mine... etc.  I think we all write custom sigs... that is the point of
having the local.rules file.....  this just makes it easier.







More information about the Snort-sigs mailing list