[Snort-sigs] FW: Signature Database

Brian bmc at ...95...
Tue Apr 27 08:58:00 EDT 2004


On Tue, Apr 27, 2004 at 10:00:20AM -0400, James Ashton wrote:
> While I certainly DON'T want to detract from the sig base on snort.org I
> must say that for me, it is always a LITTLE behind where I would like
> it. I am hoping that by having a Sig Database that we all keep current
> with the sigs that we write then everyone can have a little more chance
> of catching something that they might have otherwise missed. 

Quality is more important than quantity.

Simple string matches to catch a specific exploit may be useful for
the few days after the exploit is written, but after that, people
start writing new exploits with different shellcode.  The majority of
the signatures contributed lately (on snort-sigs and other places)
meet a specific need for the short term need but are lacking in the
quality needed for long term use.

Before rules go into snort's "official" rules repository the rules
need to be of a certain level of quality.  Short term use rules
(simple shellcode based string match) generally do not fall into that
category.

If you write rules for the vulnerability, not the exploit, the quality
of the rules will go up.

Brian




More information about the Snort-sigs mailing list