[Snort-sigs] RE: Signature Database

Matthew Jonkman matt at ...2436...
Tue Apr 27 20:26:44 EDT 2004


Well sorta. Since you've been on the rules they have made a HUGE leap 
forward in stability and quality. Thanks for that.

But I still think there's room for a realtime set. The sigs that turn 
out to be quality and will provide long term value out of that set 
should feed you and the stable branch.

I do think we need a good and moderated channel for the realtime rules. 
Virus outbreaks, the exploit of the day, that kind of thing. The sigs 
list is good to start, but the polished product never gets posted, and 
you never can tell which sigs really have been tested well.

Consider it a live testing ground for what will be considered for the 
stable set you maintain Brian, and a single resource for those of us 
that manage our snorts in realtime, and have resources to commit to 
putting rules in on the fly (not with daily scripts, etc).

It certainly wouldn't be a ruleset that should be distributed with the 
stable branch, even if it's called experimental or realtime. More like a 
testing ground for the bleeding edge types and staging area for the 
stable branch, distributed completely separately. CVS-like.

I don't see where this will cause issues.


--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer

Brian wrote:
> On Tue, Apr 27, 2004 at 04:37:14PM -0500, Matthew Jonkman wrote:
> 
>>What I think we need is a combination of a moderator tested release of
>>realtime rules, and a controlled feedback mechanism. Someone submits a
>>sig. That sig goes into a moderator que, (not to the members of the
>>list), the moderator looks it over for functionality, tests it where
>>necessary. If the sig is functional and doesn't hit a ton of false
>>positives they approve it. The sig gets dropped into the realtime
>>rules set and an email goes out to those interested in knowing about
>>it.  Making that set cvs available would facilitate most of this
>>process, just adding a web frontend to take the submissions would be
>>the only thing to code really.
> 
> 
> You mean, just like we have now, except with more than me at the helm?
> 
> Perhaps you forgot what it was like before I took over as the "rules
> nazi".  No, I did not come up with that term, Marty did.
> 
> For those of you that have started using snort since then, let me
> refresh your memory.
> 
> There was an online mechanism for submitting rules.  There were multiple
> people that could say "Sure, this looks alright to me."  It got added.
> The ruleset were available for download instantly.  (Well, sorta.  It
> was complicated.)  It was even on snort.org.
> 
> The reason I got involved with the snort project was because the ruleset
> sucked.  Sure, there were a ton of rules.  Sure, lots of people worked
> very hard on them.  Don't forget the problems though.
> 
> There was no documentation.  There was no testing.  There were no
> references.  There were no handling of duplicates.
> 
> In short, there was no quality.  
> 
> Why do you want to go back to that?  A ton of people have worked VERY
> hard to make sure Snort's ruleset of the utmost quality.  I am not the
> only one, I've just been the biggest contributor.
> 
> Brian
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list