[Snort-sigs] RE: Signature Database

Bob Walder bwalder at ...636...
Wed Apr 28 02:07:01 EDT 2004

I would have to back this up 100%

As a testing house, the first time we looked at Snort the rule set
sucked - there were TONS of rules, but there were loads of sucky ones
and loads of duplicates - no point having 2500 rules if 1000 of them are
duplicates, complete crap, or cause an effective DOS on your Snort if
you enable them.

Once Sourcefire came into being (I GUESS that was the real impetus
behind the need to increase quality?? ;o) and Brian turned into "rules
Nazi" we found the quality of subsequent sig sets was way better - the
last test we did on Snort 2.x (www.nss.co.uk/ids) showed how much the
whole product - coding and sigs - had improved since the 1.x days

As a commercial operation, Sourcefire cannot afford to let that quality
slip - as Open source Snort users, do you really want to be using sigs
of lower quality than those guys who pay for it?


Bob Walder
The NSS Group

>> -----Original Message-----
>> From: snort-sigs-admin at lists.sourceforge.net 
>> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Brian
>> Sent: 28 April 2004 04:14
>> To: Matthew Jonkman
>> Cc: snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] RE: Signature Database
>> On Tue, Apr 27, 2004 at 04:37:14PM -0500, Matthew Jonkman wrote:
>> > What I think we need is a combination of a moderator 
>> tested release of 
>> > realtime rules, and a controlled feedback mechanism. 
>> Someone submits a 
>> > sig. That sig goes into a moderator que, (not to the 
>> members of the 
>> > list), the moderator looks it over for functionality, 
>> tests it where 
>> > necessary. If the sig is functional and doesn't hit a ton of false 
>> > positives they approve it. The sig gets dropped into the realtime 
>> > rules set and an email goes out to those interested in 
>> knowing about 
>> > it.  Making that set cvs available would facilitate most of this 
>> > process, just adding a web frontend to take the 
>> submissions would be 
>> > the only thing to code really.
>> You mean, just like we have now, except with more than me at 
>> the helm?
>> Perhaps you forgot what it was like before I took over as 
>> the "rules nazi".  No, I did not come up with that term, Marty did.
>> For those of you that have started using snort since then, 
>> let me refresh your memory.
>> There was an online mechanism for submitting rules.  There 
>> were multiple people that could say "Sure, this looks 
>> alright to me."  It got added. The ruleset were available 
>> for download instantly.  (Well, sorta.  It was complicated.) 
>>  It was even on snort.org.
>> The reason I got involved with the snort project was because 
>> the ruleset sucked.  Sure, there were a ton of rules.  Sure, 
>> lots of people worked very hard on them.  Don't forget the 
>> problems though.
>> There was no documentation.  There was no testing.  There 
>> were no references.  There were no handling of duplicates.
>> In short, there was no quality.  
>> Why do you want to go back to that?  A ton of people have 
>> worked VERY hard to make sure Snort's ruleset of the utmost 
>> quality.  I am not the only one, I've just been the biggest 
>> contributor.
>> Brian
>> -------------------------------------------------------
>> This SF.Net email is sponsored by: Oracle 10g
>> Get certified on the hottest thing ever to hit the market... 
>> Oracle 10g. 
>> Take an Oracle 10g class now, and we'll give you the exam FREE. 
>> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net 
>> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list