[Snort-sigs] RE: Signature Database

Matthew Jonkman matt at ...2436...
Tue Apr 27 09:27:01 EDT 2004


I assume the Snort folks are listening here: Would you consider this --

Some sort of a moderator based signature submission setup. Users can 
submit sigs, they go to a board of 'moderators'. These volunteer 
moderators (not snort.org people as their focus is and should be on 
coding) verify the sig is good, accurate, and compatible with whatever 
release they agree to service.

The moderators should all have an area of expertise. Have a couple good 
coders, couple network and cisco guys, couple sql and web app guys, 
couple 0-day exploit types, etc. Whichever moderator gets to the sig 
first reviews it, if they click the approve button it's rolled into the 
realtime-set and made available. We could even use cvs for that so 
people can get email notifications, etc.

I think the strength would be the quick review by an expert for at least 
basic functionality and accuracy.

The rules then that come from this group could be distributed as a 
realtime-set, or even in experimental. That way the stable branch rules 
and 2.1 snapshot aren't always being fiddled with, but those admins that 
put a lot of time into their snort installs could still grab the 
realtime rules as necessary.

Anyone see a hole in this method?

My only thought is that the moderators might not be as fast as some 
would like. So we could make a cvs branch that users could at least see 
the submitted rules before approval.

Comments welcome. Snort folks, this something you'd be interested in?

Matt
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.



Brian King wrote:
> I agree that QA is important.  Sometimes bad information is worse than none
> at all.  arachNIDS had a way to send in new signatures with packet dumps,
> but it doesn't appear to have been updated in quite a while.  Another aspect
> of this is the signature documentation to help admins understand the
> significance of snort warnings.  I noticed that the online Snort signature
> database doesn't have information on several current exploits (IIS PCT
> vulnerability for one).  It would be nice if we developed some way of
> updating signatures that would go into that database and a community review
> process to validate them before they become official.  I am definitely
> interested in working on the documentation aspect of the signature database
> (I use it whenever I see an alert that I don't recognize).
> 
> -Brian
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
> For a limited time only, get FREE Ground shipping on all orders of $35
> or more. Hurry up and shop folks, this offer expires April 30th!
> http://www.thinkgeek.com/freeshipping/?cpg297
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list