[Snort-sigs] RE: Signature Database

Matthew Jonkman matt at ...2436...
Tue Apr 27 14:34:07 EDT 2004

I agree that it'll take a lot of work to do something like this, but 
maybe the community is ready for it now.

I remember the problems in the experimental branch. My thoughts there 
are that there is if experimental didn't work for you why the heck are 
you using them? They're labeled experimental, if you haven't the time or 
expertise to test and tweak them it's your own fault if you get 10k hits 
on a bad rule. Some very good sigs did come through there and get 
incorporated into the stable branch. That process is necessary, but 
should be performed by the people that know how to do it. Not 
joe-script-kiddy running snort without understanding it. Joe should be 
using the stable ruleset.

What we have now on the sigs list is not a very mature process. Someone 
puts up a rule that's close, then 10 other people tweak it and 10 
versions show up, then 3 or 4 or those 10 versions get tweaked to be 
right, and we end up with 2 or 3 working versions of the same rule. It's 
good if you can spend all day on the list, and don't mind restarting 
your snort 20 times with each release. But if you aren't following 
closely you aren't going to get the best rule version.

I think we can do better.

What I think we need is a combination of a moderator tested release of 
realtime rules, and a controlled feedback mechanism. Someone submits a 
sig. That sig goes into a moderator que, (not to the members of the 
list), the moderator looks it over for functionality, tests it where 
necessary. If the sig is functional and doesn't hit a ton of false 
positives they approve it. The sig gets dropped into the realtime rules 
set and an email goes out to those interested in knowing about it. 
Making that set cvs available would facilitate most of this process, 
just adding a web frontend to take the submissions would be the only 
thing to code really.

If a sig goes out that has a problem, rather than having 10 revisions 
suddenly hit the sigs list the tweaker would submit the change via a cvs 
mechanism and the moderators approve it.

I imagine this same conversation went on between the people that started 
writing CVS. :) We're not reinventing the wheel, I think we need to 
apply what we already know to improve the process we all rely on.

If there is interest I'll happily put the processes into place and host 
them. All we'll need are testers and moderators in each area of 
expertise. Takers?


Matthew Jonkman, CISSP
Senior Security Engineer

Brian wrote:
> On Tue, Apr 27, 2004 at 11:47:53AM -0500, Matt Jonkman wrote:
>>Some sort of a moderator based signature submission setup. Users can
>>submit sigs, they go to a board of 'moderators'. These volunteer
>>moderators (not snort.org people as their focus is and should be on
>>coding) verify the sig is good, accurate, and compatible with whatever
>>release they agree to service.
> We have tried that already.  It doesn't work as well as you might
> think.
> I used to include experimental signatures (see experimental.rules
> history in the CVS tree) but after getting tons of negative responses,
> I stopped doing that.
> Now, users send them to snort-sigs.  Read the mailing list or the
> archives if need be.  Otherwise, check the archives.  MARC is AWESOME.
> Use it.
>     http://marc.theaimsgroup.com/?l=snort-sigs
> Brian

More information about the Snort-sigs mailing list