[Snort-sigs] RE: Signature Database
matt at ...2436...
Mon May 3 07:49:00 EDT 2004
Here's an update on where we are with the bleeding signatures.
1. We're dropping the forum. It's not providing anything but a splinter
of the sigs list, as we expected.
2. We're dropping CVS. Too cumbersome and a pain in the butt. It's still
up for now till we get an alternative up. http://snort.infotex.com/
3. We're going to try out WVS. You can see the beta at
http://www.snort.gitflorida.com/wvs/. It's got some issues to solve, but
is promising. Help and ideas there are welcome.
Really, what the bleeding rules intend to be is the repository for what
comes off this list. You can be assured that the last version of the
rule with the tweaks that make it right are available in a single place.
There will also be rules that don't pass this list. There will
eventually be a web form to submit a rule, and the submitter can have
some 'ownership' of the rule until it's called stable and Brian decides
to take it into the stable rulesets on snort.org.
Certainly not every sig we handle will go to stable on snort.org. Some
are crappy rules that detect a very specific threat that's only around
for a couple days. Those will come and go as appropriate.
So at the moment, we've got most of what's out there at
http://snort.infotex.com. You can grab the bleeding.rules and see the
recent threats. Some rules are really good, some are crapola. But
they'll serve a purpose. Send us feedback and tweaks and we'll keep that
Ideas and more volunteers are welcome. More is coming in the near
future. And again, we hope to augment this list and it's users. Not
replace, splinter, or duplicate information.
Matthew Jonkman, CISSP
Senior Security Engineer
Mike Poor wrote:
> On Apr 28, 2004, at 12:15 PM, Frank Knobbe wrote:
>> But isn't this exactly what this list is about? When Symantec or ISS or
>> Lurhq or SANS ISC or dshield users release a signature, it most always
>> finds its way into this list by being forwarded by someone who saw the
>> sig. Members of this list can then incorporate that sig into their
>> custom rules file or not, their choice. But I don't see why we need yet
>> another place providing those sigs.
> I agree Frank.. but I also understand the desire for people to branch
> out, and want to get fast (even if sucky) rule updates for the latest
> threats. I thought that arachnids (whitehats, Max Vision's site) was a
> great place to understand rules. I liked their interface, their
> documentation, the fact that they included packet dump data with their
> documentation. I would not however download my rule set from them. Im
> sure you are aware of Max's run in with the federales, and despite his
> good work and nice website... thats not where I want my security
> information coming from.
> Ive been talking with a number of people in the community and there is a
> movement to set up a site that contains signatures for intrusions... but
> not just the snort sigs... but system and application log signatures,
> packet data, and perhaps even diffs between logs where the intrusion was
> successful and when it was not.
> Despite James's good intention with the bulletin board for snort sigs, I
> think that snort-sigs archives with aptly named subjects works just fine
> for me if Im looking to quickly mitigate a threat.
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs