[Snort-sigs] RE: Signature Database
matt at ...2436...
Tue Apr 27 14:34:07 EDT 2004
I agree that it'll take a lot of work to do something like this, but
maybe the community is ready for it now.
I remember the problems in the experimental branch. My thoughts there
are that there is if experimental didn't work for you why the heck are
you using them? They're labeled experimental, if you haven't the time or
expertise to test and tweak them it's your own fault if you get 10k hits
on a bad rule. Some very good sigs did come through there and get
incorporated into the stable branch. That process is necessary, but
should be performed by the people that know how to do it. Not
joe-script-kiddy running snort without understanding it. Joe should be
using the stable ruleset.
What we have now on the sigs list is not a very mature process. Someone
puts up a rule that's close, then 10 other people tweak it and 10
versions show up, then 3 or 4 or those 10 versions get tweaked to be
right, and we end up with 2 or 3 working versions of the same rule. It's
good if you can spend all day on the list, and don't mind restarting
your snort 20 times with each release. But if you aren't following
closely you aren't going to get the best rule version.
I think we can do better.
What I think we need is a combination of a moderator tested release of
realtime rules, and a controlled feedback mechanism. Someone submits a
sig. That sig goes into a moderator que, (not to the members of the
list), the moderator looks it over for functionality, tests it where
necessary. If the sig is functional and doesn't hit a ton of false
positives they approve it. The sig gets dropped into the realtime rules
set and an email goes out to those interested in knowing about it.
Making that set cvs available would facilitate most of this process,
just adding a web frontend to take the submissions would be the only
thing to code really.
If a sig goes out that has a problem, rather than having 10 revisions
suddenly hit the sigs list the tweaker would submit the change via a cvs
mechanism and the moderators approve it.
I imagine this same conversation went on between the people that started
writing CVS. :) We're not reinventing the wheel, I think we need to
apply what we already know to improve the process we all rely on.
If there is interest I'll happily put the processes into place and host
them. All we'll need are testers and moderators in each area of
Matthew Jonkman, CISSP
Senior Security Engineer
> On Tue, Apr 27, 2004 at 11:47:53AM -0500, Matt Jonkman wrote:
>>Some sort of a moderator based signature submission setup. Users can
>>submit sigs, they go to a board of 'moderators'. These volunteer
>>moderators (not snort.org people as their focus is and should be on
>>coding) verify the sig is good, accurate, and compatible with whatever
>>release they agree to service.
> We have tried that already. It doesn't work as well as you might
> I used to include experimental signatures (see experimental.rules
> history in the CVS tree) but after getting tons of negative responses,
> I stopped doing that.
> Now, users send them to snort-sigs. Read the mailing list or the
> archives if need be. Otherwise, check the archives. MARC is AWESOME.
> Use it.
More information about the Snort-sigs