[Snort-sigs] FW: Signature Database
frank at ...1978...
Tue Apr 27 18:36:00 EDT 2004
On Tue, 2004-04-27 at 10:57, Brian wrote:
> Quality is more important than quantity.
> Simple string matches to catch a specific exploit may be useful for
> the few days after the exploit is written, but after that, people
> start writing new exploits with different shellcode.
> If you write rules for the vulnerability, not the exploit, the quality
> of the rules will go up.
Amen to that. Can't find anything to contest nor anything to add.
Personally, I wouldn't trust my sensors to automatically download rules
that some stranger cobbled together. It's a matter of trust and
security. As Brian said, it's netty pruts... or futs... or something....
But if someone does want to provide a "service" like that, why not make
use of existing transports like CVS for example. Seems to be easier than
downloading it from some web site. No need to reinvent the wheel with
new protocols and custom delivery mechanisms. CVS is easy and can be
automated for the fearless sig-warriors.
(BTW: We manage rules differently. We keep a central repository and
generate updates through diffs that are applied through our custom
sensor/host update delivery mechanism.)
Warning at the Gates of Bill:
Abandon hope, all ye who press <ENTER> here...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs