[Snort-sigs] RE: Signature Database

Matthew Jonkman matt at ...2436...
Wed Apr 28 08:18:07 EDT 2004

Yup. You hit it on the nose Bob.

This isn't a branch for everyone. Should NOT be part of the stable 
branch. And why not do it? It'll be for the bleeding edge, real-time, 
full-time snort jockeys that have something important to protect and 
they spend a lot of time doing so.

The line we're thinking here is a cvs mechanism for distribution. Web 
interface for submitting, maybe even an rss feed so we can keep an eye 
on the sigs easily.

I hope we can keep a close relationship with the sig nazi so that when a 
sig becomes mature and stable, and useful in the long term it can be fed 
to snort, and removed from ours.

We're currently looking for some volunteer moderators. Have a few 
already, but really want a variety of backgrounds. Please contact me if 
you'd be interested.

Matthew Jonkman, CISSP
Senior Security Engineer

Bob Walder wrote:
> I can see where this might be useful for some - I can also see that it
> could be of concern to the Snort/Sourcefire guys whose aim is to produce
> and distribute a SOLID set of enterprise-quality signatures.
> So this list/forum/whatever needs to be distinct form the "official"
> Snort stuff
> The argument that it is "yet another list to watch" is not a good one -
> most people will NOT watch such a list and will stick with the Snort
> stable stuff - that is fine. Those who are crying out for it here WILL
> (hopefully!) monitor and use such a resource.
> If there is support for it - why not do it?
> BUT - the one thing that this absolutely MUST have for it to be useful
> is that the moderators of this new forum also closely watch what happens
> with the Snort stable sigs and remove all "experimental" sigs as soon as
> they make the transition into "stable" - otherwise we end up with loads
> of duplicates knocking around and many folks will not have the expertise
> necessary to filter those out on their own.
> Regards,
> Bob Walder
>>>-----Original Message-----
>>>From: snort-sigs-admin at lists.sourceforge.net 
>>>[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of 
>>>Matthew Jonkman
>>>Sent: 27 April 2004 23:37
>>>To: Brian
>>>Cc: Matt Jonkman; snort-sigs at lists.sourceforge.net
>>>Subject: Re: [Snort-sigs] RE: Signature Database
>>>I agree that it'll take a lot of work to do something like this, but 
>>>maybe the community is ready for it now.
>>>I remember the problems in the experimental branch. My 
>>>thoughts there 
>>>are that there is if experimental didn't work for you why 
>>>the heck are 
>>>you using them? They're labeled experimental, if you haven't 
>>>the time or 
>>>expertise to test and tweak them it's your own fault if you 
>>>get 10k hits 
>>>on a bad rule. Some very good sigs did come through there and get 
>>>incorporated into the stable branch. That process is necessary, but 
>>>should be performed by the people that know how to do it. Not 
>>>joe-script-kiddy running snort without understanding it. Joe 
>>>should be 
>>>using the stable ruleset.
>>>What we have now on the sigs list is not a very mature 
>>>process. Someone 
>>>puts up a rule that's close, then 10 other people tweak it and 10 
>>>versions show up, then 3 or 4 or those 10 versions get tweaked to be 
>>>right, and we end up with 2 or 3 working versions of the 
>>>same rule. It's 
>>>good if you can spend all day on the list, and don't mind restarting 
>>>your snort 20 times with each release. But if you aren't following 
>>>closely you aren't going to get the best rule version.
>>>I think we can do better.
>>>What I think we need is a combination of a moderator tested 
>>>release of 
>>>realtime rules, and a controlled feedback mechanism. Someone 
>>>submits a 
>>>sig. That sig goes into a moderator que, (not to the members of the 
>>>list), the moderator looks it over for functionality, tests it where 
>>>necessary. If the sig is functional and doesn't hit a ton of false 
>>>positives they approve it. The sig gets dropped into the 
>>>realtime rules 
>>>set and an email goes out to those interested in knowing about it. 
>>>Making that set cvs available would facilitate most of this process, 
>>>just adding a web frontend to take the submissions would be the only 
>>>thing to code really.
>>>If a sig goes out that has a problem, rather than having 10 
>>>suddenly hit the sigs list the tweaker would submit the 
>>>change via a cvs 
>>>mechanism and the moderators approve it.
>>>I imagine this same conversation went on between the people 
>>>that started 
>>>writing CVS. :) We're not reinventing the wheel, I think we need to 
>>>apply what we already know to improve the process we all rely on.
>>>If there is interest I'll happily put the processes into 
>>>place and host 
>>>them. All we'll need are testers and moderators in each area of 
>>>expertise. Takers?
>>>Matthew Jonkman, CISSP
>>>Senior Security Engineer
>>>Brian wrote:
>>>>On Tue, Apr 27, 2004 at 11:47:53AM -0500, Matt Jonkman wrote:
>>>>>Some sort of a moderator based signature submission setup. 
>>>Users can 
>>>>>submit sigs, they go to a board of 'moderators'. These volunteer 
>>>>>moderators (not snort.org people as their focus is and should be on
>>>>>coding) verify the sig is good, accurate, and compatible 
>>>with whatever 
>>>>>release they agree to service.
>>>>We have tried that already.  It doesn't work as well as you might 
>>>>I used to include experimental signatures (see experimental.rules 
>>>>history in the CVS tree) but after getting tons of 
>>>negative responses, 
>>>>I stopped doing that.
>>>>Now, users send them to snort-sigs.  Read the mailing list or the 
>>>>archives if need be.  Otherwise, check the archives.  MARC 
>>>is AWESOME. 
>>>>Use it.
>>>>    http://marc.theaimsgroup.com/?l=snort-sigs
>>>This SF.Net email is sponsored by: Oracle 10g
>>>Get certified on the hottest thing ever to hit the market... 
>>>Oracle 10g. 
>>>Take an Oracle 10g class now, and we'll give you the exam FREE. 
>>>Snort-sigs mailing list
>>>Snort-sigs at lists.sourceforge.net 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list