[Snort-sigs] FW: Signature Database

Brian bmc at ...95...
Tue Apr 27 11:27:22 EDT 2004


On Tue, Apr 27, 2004 at 12:17:58PM -0400, James Ashton wrote:
> OK  I can certainly agree with that... but what about the people who
> need a signature fast... is there anything WRONT with them using one
> short term until a better rule appears in the -CURRENT  or -2.1 sig
> base on snort.org?? 

Yeah, and the community on snort-sigs already provides short term
rules.  

> Basicaly   yes  quality is more important than quantity but
> sometimes speed to market is even more important and just because
> the sig was written and not yet approved by snort.org doesn't mean
> that it is a bad sig..   You have to decide what goes into your
> personal sig-base...  and I have already added some sgs that people
> have posted... and the ones I decided to add were relevant to my
> hardware and they seam to be working.

Honestly, there is no way in HELL I would EVER put an interface on
snort.org to allow random people to upload sigs, validate the syntax
and push them out to the 300k people that download signatures
automatically from snort.org.

Thats nucking futs.

If you want quick to market signatures, with little concern for
quality, subscribe to the mailing list.  Watch the mailing list.  Pick
and choose signatures that are right for your network.  

Having a web forum means yet another location to watch.  One with bad
distribution mechanisms, poor scalability, and poor archive
mechanisms.  Web forums are more different mailing lists, which are
more different news groups.

Brian




More information about the Snort-sigs mailing list