[Snort-sigs] RE: Signature Database

Matthew Jonkman matt at ...2436...
Mon May 3 07:49:00 EDT 2004


Here's an update on where we are with the bleeding signatures.

1. We're dropping the forum. It's not providing anything but a splinter 
of the sigs list, as we expected.

2. We're dropping CVS. Too cumbersome and a pain in the butt. It's still 
up for now till we get an alternative up. http://snort.infotex.com/

3. We're going to try out WVS. You can see the beta at 
http://www.snort.gitflorida.com/wvs/. It's got some issues to solve, but 
is promising. Help and ideas there are welcome.

Really, what the bleeding rules intend to be is the repository for what 
comes off this list. You can be assured that the last version of the 
rule with the tweaks that make it right are available in a single place.

There will also be rules that don't pass this list. There will 
eventually be a web form to submit a rule, and the submitter can have 
some 'ownership' of the rule until it's called stable and Brian decides 
to take it into the stable rulesets on snort.org.

Certainly not every sig we handle will go to stable on snort.org. Some 
are crappy rules that detect a very specific threat that's only around 
for a couple days. Those will come and go as appropriate.

So at the moment, we've got most of what's out there at 
http://snort.infotex.com. You can grab the bleeding.rules and see the 
recent threats. Some rules are really good, some are crapola. But 
they'll serve a purpose. Send us feedback and tweaks and we'll keep that 
ruleset tweaked.

Ideas and more volunteers are welcome. More is coming in the near 
future. And again, we hope to augment this list and it's users. Not 
replace, splinter, or duplicate information.

Thanks

--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer




Mike Poor wrote:
> On Apr 28, 2004, at 12:15 PM, Frank Knobbe wrote:
> 
>> But isn't this exactly what this list is about? When Symantec or ISS or
>> Lurhq or SANS ISC or dshield users release a signature, it most always
>> finds its way into this list by being forwarded by someone who saw the
>> sig. Members of this list can then incorporate that sig into their
>> custom rules file or not, their choice. But I don't see why we need yet
>> another place providing those sigs.
> 
> 
> I agree Frank.. but I also understand the desire for people to branch 
> out, and want to get fast (even if sucky) rule updates for the latest 
> threats.  I thought that arachnids (whitehats, Max Vision's site) was a 
> great place to understand rules.  I liked their interface, their 
> documentation, the fact that they included packet dump data with their 
> documentation.  I would not however download my rule set from them.  Im 
> sure you are aware of Max's run in with the federales, and despite his 
> good work and nice website... thats not where I want my security 
> information coming from.
> 
> Ive been talking with a number of people in the community and there is a 
> movement to set up a site that contains signatures for intrusions... but 
> not just the snort sigs... but system and application log  signatures, 
> packet data, and perhaps even diffs between logs where the intrusion was 
> successful and when it was not.
> 
> Despite James's good intention with the bulletin board for snort sigs, I 
> think that snort-sigs archives with aptly named subjects works just fine 
> for me if Im looking to quickly mitigate a threat.
> 
> Mike
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list