[Snort-sigs] FW: Signature Database

James Ashton James at ...2424...
Tue Apr 27 09:19:03 EDT 2004


OK  I can certainly agree with that... but what about the people who
need a signature fast... is there anything WRONT with them using one
short term until a better rule appears in the -CURRENT  or -2.1 sig base
on snort.org?? 
I use the string based sig and some minorly better than that and have
has good results for exploits just released... and    hey   you need to
catch those to...  I understand that a lot of these sigs aren't ready
for the main sog base  but that doesn't make them any less usefull   and
some of them will no dobt be excellent sigs and may be put into the sig
base the way they are...

 Basicaly   yes  quality is more important than quantity but sometimes
speed to market is even more important and just because the sig was
written and not yet approved by snort.org doesn't mean that it is a bad
sig..   You have to decide what goes into your personal sig-base...  and
I have already added some sgs that people have posted... and the ones I
decided to add were relevant to my hardware and they seam to be working.

-----Original Message-----
From: Brian [mailto:bmc at ...95...] 
Sent: Tuesday, April 27, 2004 11:57 AM
To: James Ashton
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] FW: Signature Database

On Tue, Apr 27, 2004 at 10:00:20AM -0400, James Ashton wrote:
> While I certainly DON'T want to detract from the sig base on snort.org
I
> must say that for me, it is always a LITTLE behind where I would like
> it. I am hoping that by having a Sig Database that we all keep current
> with the sigs that we write then everyone can have a little more
chance
> of catching something that they might have otherwise missed. 

Quality is more important than quantity.

Simple string matches to catch a specific exploit may be useful for
the few days after the exploit is written, but after that, people
start writing new exploits with different shellcode.  The majority of
the signatures contributed lately (on snort-sigs and other places)
meet a specific need for the short term need but are lacking in the
quality needed for long term use.

Before rules go into snort's "official" rules repository the rules
need to be of a certain level of quality.  Short term use rules
(simple shellcode based string match) generally do not fall into that
category.

If you write rules for the vulnerability, not the exploit, the quality
of the rules will go up.

Brian






More information about the Snort-sigs mailing list