[Snort-sigs] RE: Signature Database

Mike Poor mike at ...2444...
Mon May 3 04:54:48 EDT 2004

On Apr 28, 2004, at 12:15 PM, Frank Knobbe wrote:

> But isn't this exactly what this list is about? When Symantec or ISS or
> Lurhq or SANS ISC or dshield users release a signature, it most always
> finds its way into this list by being forwarded by someone who saw the
> sig. Members of this list can then incorporate that sig into their
> custom rules file or not, their choice. But I don't see why we need yet
> another place providing those sigs.

I agree Frank.. but I also understand the desire for people to branch 
out, and want to get fast (even if sucky) rule updates for the latest 
threats.  I thought that arachnids (whitehats, Max Vision's site) was a 
great place to understand rules.  I liked their interface, their 
documentation, the fact that they included packet dump data with their 
documentation.  I would not however download my rule set from them.  Im 
sure you are aware of Max's run in with the federales, and despite his 
good work and nice website... thats not where I want my security 
information coming from.

Ive been talking with a number of people in the community and there is 
a movement to set up a site that contains signatures for intrusions... 
but not just the snort sigs... but system and application log  
signatures, packet data, and perhaps even diffs between logs where the 
intrusion was successful and when it was not.

Despite James's good intention with the bulletin board for snort sigs, 
I think that snort-sigs archives with aptly named subjects works just 
fine for me if Im looking to quickly mitigate a threat.


More information about the Snort-sigs mailing list