[Snort-sigs] RE: Signature Database

Matthew Jonkman matt at ...2436...
Wed Apr 28 17:59:02 EDT 2004

That's a part of things. This will take people and documentation. The 
initial submissions I don't think we'll require much documentation. 
Mostly in the interest of encouraging the new ideas to get submitted 
quickly. If the sig has value and sticks then we'll get it documented to 
send toward snort.org and the real rulesets.

What I think the idea is evolving into is a repository for the 
signatures that come across this list. CVS like. Anonymous access for 
all. The ones that are complete junk can be caught and taken out. The 
ones that need a little tweak can get that and be available in that form.

What benefits that gives us as I see it are:

1. You don't have to hope you got the last version or waste time 
searching the list archives

2. An easy to use repository of historical sigs and current issues

3. Centralized feedback, not a string of emails that aren't connected in 
the conversation

4. Easy link to let scripts pull the most recent for review. You can use 
what you like out of that

5. No cutting and pasting crap all day. :)  wget and vi are wonderful.

6. New rules available without having to be on bleeding edge snort 
(which is cumbersome when you have a large number of sensors to keep up 
to date, so you can stay on the CURRENT sigs)

We're starting to try out some ideas. Take a look at 
http://snort.infotex.com. This is the initial cvs setup. We'll have a 
frontend and website up in a day or so.

We welcome any ideas. We've had a lot of direct email with great ideas. 
Please keep that coming, on or off the list. Specifically we need a web 
interface that will drop a file into cvs.



Matthew Jonkman, CISSP
Senior Security Engineer

Alejandro Flores wrote:
> 	Hello there,
> 	As I can see, the main problem has different point of views. Some are
> proposing an automated type of addition and distribution of rules, and
> other talking about what we have today: If you want brand new rules,
> subscribe the list and copy/paste the submitted ones to your custom
> ruleset.
> 	Some are wanting a way (an automatic one) to keep up-to-date. Just fire
> a daemon to watch for a new 'MD5', and bingo! I'm current! Others want
> the traditional way, see the new rule, if it fits my need, I'll add to
> my custom ruleset before it get's added to the main ruleset, so I'm
> current too.
> 	The main problem for the first situation, appears to be people. People
> to write the rules, with a good documentation, provide packet dumps, the
> conditions, etc. People to receive this information, validate the rule,
> and add this to the '0-day-rules'. People to do other tasks, as
> documentation revision and ruleset publishing. People to be on-time with
> snort.org ruleset, to remove the rules added to the main (snort.org)
> ruleset. IMHO, the guys at snort.org doesn't have more time to spend on
> this new way. 
> 	So, for the automated way to work, must have a team to deal with the
> job, and must be in sync with snort.org. Is it possible?
> Regards,
> Alejandro Flores
> --TriForSec
> http://www.triforsec.com.br/ 

More information about the Snort-sigs mailing list