[Snort-sigs] Call for help
matt at ...2436...
Wed Jun 2 13:37:07 EDT 2004
The bleeding rules are starting to get a lot of traffic. We're very
excited about that. But we definitely want to bring the bleeding project
to a sustainable process for the long-term.
The one thing that's always lacked in the snort community is a good
rules manager. There are some projects out there (activeworx, etc) but
in the environments I think a lot of us function there needs to be a
centralized tool, preferably web-based. Something that has permissions,
user rights, tracking, etc.
What we want to turn bleeding into is an open-sourced rules manager.
That manager would have a hosted version that anyone can use
anonymously. Good for the small scale and home users. At the same time
that code would be available for the larger installs to bring in house.
Here's what we have in mind: (in general)
Take geeklog or php-nuke and build a rules management module. These
features to be implemented in this phase:
1. Pull in the snort.org rules (2.0 and up at least)
2. Pull in bleeding rules
3. Allow users to create an account and have their own sets
4. Users can create multiple sensors in their account
5. Users can create their own templates (sets of active and disabled
rules) and apply those to sensors
6. Users can choose either categories or individual rules for enabling
7. Each sensor for each user would have a url that they could use in a
script to pull the ruleset created by their choices. i.e.
8. Opt in email notifications of changes and availability of new rules
Host that for the world to use, the benefit is us all getting the new
sigs matured and easily available.
The snort.conf would NOT be included in this tool, information there is
too sensitive. But could be managed in the version an org could install
Add functionality to let users submit their own rules. Rules can be
public or private. Public rules would be made available to all users to
enable (ie the bleeding set). Private for that user account only.
Functionality to track rule changes and let users submit improvements to
submitted rules. The original poster retains 'control' of the rule until
it's considered stable or is brought into the snort.org rulesets. This
removes the reliance on a small number of people to maintain all the
rules and changes for everyone. (which we've found to be a good deal of
work). Owners could give the rule away to another user for tweaking, or
implement suggestions themselves.
Add a sensor management function. To do:
1. Determine status of sensors (snort running or not)
2. Push rules and restart snort
etc. Likely ssh based. But this would ONLY be available in the version
to install locally, not necessarily in the publicly hosted version.
What we have to get us to this point is this:
1. Resources and bandwidth to host and maintain
2. The motivation
3. Lots of support and good wishes (thanks all)
4. A great set of rules from snort.org via Brian
What we haven't got:
1. PHP coders (specifically with geeklog or php-nuke experience)
So that's what we're asking for. We need a few php guys (or girls) with
a little database experience. Some geeklog module experience would be
great as well.
If you're interested please let us know. We're very excited about this
project. A good standardized rules manager is a big goal of this
project, as well as the tracking and maturing process of new rules and
ideas for snort signatures.
We're still soliciting ideas and concepts as well. Please keep them
coming. I think a large number of us have built tools to do this over
the years. I shudder to think how many versions of this might already
exist inside many organizations, but can;t see the light of day via GPL.
Taking all that experience and building one standard one will benefit us
Matthew Jonkman, CISSP
Senior Security Engineer
More information about the Snort-sigs