[Snort-sigs] RE: Signature Database
mike at ...2444...
Mon May 3 04:54:48 EDT 2004
On Apr 28, 2004, at 12:15 PM, Frank Knobbe wrote:
> But isn't this exactly what this list is about? When Symantec or ISS or
> Lurhq or SANS ISC or dshield users release a signature, it most always
> finds its way into this list by being forwarded by someone who saw the
> sig. Members of this list can then incorporate that sig into their
> custom rules file or not, their choice. But I don't see why we need yet
> another place providing those sigs.
I agree Frank.. but I also understand the desire for people to branch
out, and want to get fast (even if sucky) rule updates for the latest
threats. I thought that arachnids (whitehats, Max Vision's site) was a
great place to understand rules. I liked their interface, their
documentation, the fact that they included packet dump data with their
documentation. I would not however download my rule set from them. Im
sure you are aware of Max's run in with the federales, and despite his
good work and nice website... thats not where I want my security
information coming from.
Ive been talking with a number of people in the community and there is
a movement to set up a site that contains signatures for intrusions...
but not just the snort sigs... but system and application log
signatures, packet data, and perhaps even diffs between logs where the
intrusion was successful and when it was not.
Despite James's good intention with the bulletin board for snort sigs,
I think that snort-sigs archives with aptly named subjects works just
fine for me if Im looking to quickly mitigate a threat.
More information about the Snort-sigs