[Snort-sigs] RE: Signature Database

Bob Walder bwalder at ...636...
Wed Apr 28 02:01:05 EDT 2004


I can see where this might be useful for some - I can also see that it
could be of concern to the Snort/Sourcefire guys whose aim is to produce
and distribute a SOLID set of enterprise-quality signatures.

So this list/forum/whatever needs to be distinct form the "official"
Snort stuff

The argument that it is "yet another list to watch" is not a good one -
most people will NOT watch such a list and will stick with the Snort
stable stuff - that is fine. Those who are crying out for it here WILL
(hopefully!) monitor and use such a resource.

If there is support for it - why not do it?

BUT - the one thing that this absolutely MUST have for it to be useful
is that the moderators of this new forum also closely watch what happens
with the Snort stable sigs and remove all "experimental" sigs as soon as
they make the transition into "stable" - otherwise we end up with loads
of duplicates knocking around and many folks will not have the expertise
necessary to filter those out on their own.

Regards,

Bob Walder






>> -----Original Message-----
>> From: snort-sigs-admin at lists.sourceforge.net 
>> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of 
>> Matthew Jonkman
>> Sent: 27 April 2004 23:37
>> To: Brian
>> Cc: Matt Jonkman; snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] RE: Signature Database
>> 
>> 
>> I agree that it'll take a lot of work to do something like this, but 
>> maybe the community is ready for it now.
>> 
>> I remember the problems in the experimental branch. My 
>> thoughts there 
>> are that there is if experimental didn't work for you why 
>> the heck are 
>> you using them? They're labeled experimental, if you haven't 
>> the time or 
>> expertise to test and tweak them it's your own fault if you 
>> get 10k hits 
>> on a bad rule. Some very good sigs did come through there and get 
>> incorporated into the stable branch. That process is necessary, but 
>> should be performed by the people that know how to do it. Not 
>> joe-script-kiddy running snort without understanding it. Joe 
>> should be 
>> using the stable ruleset.
>> 
>> What we have now on the sigs list is not a very mature 
>> process. Someone 
>> puts up a rule that's close, then 10 other people tweak it and 10 
>> versions show up, then 3 or 4 or those 10 versions get tweaked to be 
>> right, and we end up with 2 or 3 working versions of the 
>> same rule. It's 
>> good if you can spend all day on the list, and don't mind restarting 
>> your snort 20 times with each release. But if you aren't following 
>> closely you aren't going to get the best rule version.
>> 
>> I think we can do better.
>> 
>> What I think we need is a combination of a moderator tested 
>> release of 
>> realtime rules, and a controlled feedback mechanism. Someone 
>> submits a 
>> sig. That sig goes into a moderator que, (not to the members of the 
>> list), the moderator looks it over for functionality, tests it where 
>> necessary. If the sig is functional and doesn't hit a ton of false 
>> positives they approve it. The sig gets dropped into the 
>> realtime rules 
>> set and an email goes out to those interested in knowing about it. 
>> Making that set cvs available would facilitate most of this process, 
>> just adding a web frontend to take the submissions would be the only 
>> thing to code really.
>> 
>> If a sig goes out that has a problem, rather than having 10 
>> revisions 
>> suddenly hit the sigs list the tweaker would submit the 
>> change via a cvs 
>> mechanism and the moderators approve it.
>> 
>> 
>> I imagine this same conversation went on between the people 
>> that started 
>> writing CVS. :) We're not reinventing the wheel, I think we need to 
>> apply what we already know to improve the process we all rely on.
>> 
>> If there is interest I'll happily put the processes into 
>> place and host 
>> them. All we'll need are testers and moderators in each area of 
>> expertise. Takers?
>> 
>> Thoughts?
>> 
>> --------------------------------------------
>> Matthew Jonkman, CISSP
>> Senior Security Engineer
>> 
>> Brian wrote:
>> > On Tue, Apr 27, 2004 at 11:47:53AM -0500, Matt Jonkman wrote:
>> > 
>> >>Some sort of a moderator based signature submission setup. 
>> Users can 
>> >>submit sigs, they go to a board of 'moderators'. These volunteer 
>> >>moderators (not snort.org people as their focus is and should be on
>> >>coding) verify the sig is good, accurate, and compatible 
>> with whatever 
>> >>release they agree to service.
>> > 
>> > 
>> > We have tried that already.  It doesn't work as well as you might 
>> > think.
>> > 
>> > I used to include experimental signatures (see experimental.rules 
>> > history in the CVS tree) but after getting tons of 
>> negative responses, 
>> > I stopped doing that.
>> > 
>> > Now, users send them to snort-sigs.  Read the mailing list or the 
>> > archives if need be.  Otherwise, check the archives.  MARC 
>> is AWESOME. 
>> > Use it.
>> >     
>> >     http://marc.theaimsgroup.com/?l=snort-sigs
>> > 
>> > Brian
>> 
>> 
>> -------------------------------------------------------
>> This SF.Net email is sponsored by: Oracle 10g
>> Get certified on the hottest thing ever to hit the market... 
>> Oracle 10g. 
>> Take an Oracle 10g class now, and we'll give you the exam FREE. 
>> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net 
>> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> 






More information about the Snort-sigs mailing list