[Snort-sigs] Call for help

Matthew Jonkman matt at ...2436...
Wed Jun 2 13:37:07 EDT 2004

The bleeding rules are starting to get a lot of traffic. We're very 
excited about that. But we definitely want to bring the bleeding project 
to a sustainable process for the long-term.

The one thing that's always lacked in the snort community is a good 
rules manager. There are some projects out there (activeworx, etc) but 
in the environments I think a lot of us function there needs to be a 
centralized tool, preferably web-based. Something that has permissions, 
user rights, tracking, etc.

What we want to turn bleeding into is an open-sourced rules manager. 
That manager would have a hosted version that anyone can use 
anonymously. Good for the small scale and home users. At the same time 
that code would be available for the larger installs to bring in house.

Here's what we have in mind:  (in general)

Phase one:
Take geeklog or php-nuke and build a rules management module. These 
features to be implemented in this phase:
1. Pull in the snort.org rules (2.0 and up at least)
2. Pull in bleeding rules
3. Allow users to create an account and have their own sets
4. Users can create multiple sensors in their account
5. Users can create their own templates (sets of active and disabled 
rules) and apply those to sensors
6. Users can choose either categories or individual rules for enabling 
or disabling
7. Each sensor for each user would have a url that they could use in a 
script to pull the ruleset created by their choices. i.e. 
8. Opt in email notifications of changes and availability of new rules

Host that for the world to use, the benefit is us all getting the new 
sigs matured and easily available.

The snort.conf would NOT be included in this tool, information there is 
too sensitive. But could be managed in the version an org could install 

Phase two:
Add functionality to let users submit their own rules. Rules can be 
public or private. Public rules would be made available to all users to 
enable (ie the bleeding set). Private for that user account only.

Functionality to track rule changes and let users submit improvements to 
submitted rules. The original poster retains 'control' of the rule until 
it's considered stable or is brought into the snort.org rulesets. This 
removes the reliance on a small number of people to maintain all the 
rules and changes for everyone. (which we've found to be a good deal of 
work). Owners could give the rule away to another user for tweaking, or 
implement suggestions themselves.

Phase three:
Add a sensor management function. To do:
1. Determine status of sensors (snort running or not)
2. Push rules and restart snort
etc. Likely ssh based. But this would ONLY be available in the version 
to install locally, not necessarily in the publicly hosted version.

What we have to get us to this point is this:
1. Resources and bandwidth to host and maintain
2. The motivation
3. Lots of support and good wishes (thanks all)
4. A great set of rules from snort.org via Brian

What we haven't got:
1. PHP coders (specifically with geeklog or php-nuke experience)

So that's what we're asking for. We need a few php guys (or girls) with 
a little database experience. Some geeklog module experience would be 
great as well.

If you're interested please let us know. We're very excited about this 
project. A good standardized rules manager is a big goal of this 
project, as well as the tracking and maturing process of new rules and 
ideas for snort signatures.

We're still soliciting ideas and concepts as well. Please keep them 
coming. I think a large number of us have built tools to do this over 
the years. I shudder to think how many versions of this might already 
exist inside many organizations, but can;t see the light of day via GPL. 
Taking all that experience and building one standard one will benefit us 
all greatly.

Matthew Jonkman, CISSP
Senior Security Engineer

More information about the Snort-sigs mailing list