[Snort-sigs] RE: Signature Database

Brian bmc at ...95...
Tue Apr 27 19:15:16 EDT 2004

On Tue, Apr 27, 2004 at 04:37:14PM -0500, Matthew Jonkman wrote:
> What I think we need is a combination of a moderator tested release of
> realtime rules, and a controlled feedback mechanism. Someone submits a
> sig. That sig goes into a moderator que, (not to the members of the
> list), the moderator looks it over for functionality, tests it where
> necessary. If the sig is functional and doesn't hit a ton of false
> positives they approve it. The sig gets dropped into the realtime
> rules set and an email goes out to those interested in knowing about
> it.  Making that set cvs available would facilitate most of this
> process, just adding a web frontend to take the submissions would be
> the only thing to code really.

You mean, just like we have now, except with more than me at the helm?

Perhaps you forgot what it was like before I took over as the "rules
nazi".  No, I did not come up with that term, Marty did.

For those of you that have started using snort since then, let me
refresh your memory.

There was an online mechanism for submitting rules.  There were multiple
people that could say "Sure, this looks alright to me."  It got added.
The ruleset were available for download instantly.  (Well, sorta.  It
was complicated.)  It was even on snort.org.

The reason I got involved with the snort project was because the ruleset
sucked.  Sure, there were a ton of rules.  Sure, lots of people worked
very hard on them.  Don't forget the problems though.

There was no documentation.  There was no testing.  There were no
references.  There were no handling of duplicates.

In short, there was no quality.  

Why do you want to go back to that?  A ton of people have worked VERY
hard to make sure Snort's ruleset of the utmost quality.  I am not the
only one, I've just been the biggest contributor.


More information about the Snort-sigs mailing list