[Snort-sigs] RE: Signature Database
matt at ...2436...
Wed Apr 28 08:18:07 EDT 2004
Yup. You hit it on the nose Bob.
This isn't a branch for everyone. Should NOT be part of the stable
branch. And why not do it? It'll be for the bleeding edge, real-time,
full-time snort jockeys that have something important to protect and
they spend a lot of time doing so.
The line we're thinking here is a cvs mechanism for distribution. Web
interface for submitting, maybe even an rss feed so we can keep an eye
on the sigs easily.
I hope we can keep a close relationship with the sig nazi so that when a
sig becomes mature and stable, and useful in the long term it can be fed
to snort, and removed from ours.
We're currently looking for some volunteer moderators. Have a few
already, but really want a variety of backgrounds. Please contact me if
you'd be interested.
Matthew Jonkman, CISSP
Senior Security Engineer
Bob Walder wrote:
> I can see where this might be useful for some - I can also see that it
> could be of concern to the Snort/Sourcefire guys whose aim is to produce
> and distribute a SOLID set of enterprise-quality signatures.
> So this list/forum/whatever needs to be distinct form the "official"
> Snort stuff
> The argument that it is "yet another list to watch" is not a good one -
> most people will NOT watch such a list and will stick with the Snort
> stable stuff - that is fine. Those who are crying out for it here WILL
> (hopefully!) monitor and use such a resource.
> If there is support for it - why not do it?
> BUT - the one thing that this absolutely MUST have for it to be useful
> is that the moderators of this new forum also closely watch what happens
> with the Snort stable sigs and remove all "experimental" sigs as soon as
> they make the transition into "stable" - otherwise we end up with loads
> of duplicates knocking around and many folks will not have the expertise
> necessary to filter those out on their own.
> Bob Walder
>>>From: snort-sigs-admin at lists.sourceforge.net
>>>[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
>>>Sent: 27 April 2004 23:37
>>>Cc: Matt Jonkman; snort-sigs at lists.sourceforge.net
>>>Subject: Re: [Snort-sigs] RE: Signature Database
>>>I agree that it'll take a lot of work to do something like this, but
>>>maybe the community is ready for it now.
>>>I remember the problems in the experimental branch. My
>>>are that there is if experimental didn't work for you why
>>>the heck are
>>>you using them? They're labeled experimental, if you haven't
>>>the time or
>>>expertise to test and tweak them it's your own fault if you
>>>get 10k hits
>>>on a bad rule. Some very good sigs did come through there and get
>>>incorporated into the stable branch. That process is necessary, but
>>>should be performed by the people that know how to do it. Not
>>>joe-script-kiddy running snort without understanding it. Joe
>>>using the stable ruleset.
>>>What we have now on the sigs list is not a very mature
>>>puts up a rule that's close, then 10 other people tweak it and 10
>>>versions show up, then 3 or 4 or those 10 versions get tweaked to be
>>>right, and we end up with 2 or 3 working versions of the
>>>same rule. It's
>>>good if you can spend all day on the list, and don't mind restarting
>>>your snort 20 times with each release. But if you aren't following
>>>closely you aren't going to get the best rule version.
>>>I think we can do better.
>>>What I think we need is a combination of a moderator tested
>>>realtime rules, and a controlled feedback mechanism. Someone
>>>sig. That sig goes into a moderator que, (not to the members of the
>>>list), the moderator looks it over for functionality, tests it where
>>>necessary. If the sig is functional and doesn't hit a ton of false
>>>positives they approve it. The sig gets dropped into the
>>>set and an email goes out to those interested in knowing about it.
>>>Making that set cvs available would facilitate most of this process,
>>>just adding a web frontend to take the submissions would be the only
>>>thing to code really.
>>>If a sig goes out that has a problem, rather than having 10
>>>suddenly hit the sigs list the tweaker would submit the
>>>change via a cvs
>>>mechanism and the moderators approve it.
>>>I imagine this same conversation went on between the people
>>>writing CVS. :) We're not reinventing the wheel, I think we need to
>>>apply what we already know to improve the process we all rely on.
>>>If there is interest I'll happily put the processes into
>>>place and host
>>>them. All we'll need are testers and moderators in each area of
>>>Matthew Jonkman, CISSP
>>>Senior Security Engineer
>>>>On Tue, Apr 27, 2004 at 11:47:53AM -0500, Matt Jonkman wrote:
>>>>>Some sort of a moderator based signature submission setup.
>>>>>submit sigs, they go to a board of 'moderators'. These volunteer
>>>>>moderators (not snort.org people as their focus is and should be on
>>>>>coding) verify the sig is good, accurate, and compatible
>>>>>release they agree to service.
>>>>We have tried that already. It doesn't work as well as you might
>>>>I used to include experimental signatures (see experimental.rules
>>>>history in the CVS tree) but after getting tons of
>>>>I stopped doing that.
>>>>Now, users send them to snort-sigs. Read the mailing list or the
>>>>archives if need be. Otherwise, check the archives. MARC
>>>This SF.Net email is sponsored by: Oracle 10g
>>>Get certified on the hottest thing ever to hit the market...
>>>Take an Oracle 10g class now, and we'll give you the exam FREE.
>>>Snort-sigs mailing list
>>>Snort-sigs at lists.sourceforge.net
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs