[Snort-sigs] how current are snort signatures ?

Frank Knobbe frank at ...1978...
Thu May 27 18:30:06 EDT 2004

On Tue, 2004-05-25 at 00:50, Hari Krishnan wrote:
> I am currently looking at various options for IPS systems. One of our
> key criteria is that the IPS signatures must be current or atleast
> needs to be made available as soon as a vulnerbility is identified
> (ideally even before an exploit has occured). Could you pls help with
> information on how current are snort signatures and how does snort
> compare to best of breed signature based IPS/IDS systems in the
> market. 

I'm surprised no one answered this yet, so I'll give it a try.

There is no metric for how current Snort's rules are, or any other IDS
for that matter. How would you measure that? That said, Snort is the
first IDS that people write rules for when new vulnerabilities,
exploits, worms, or even viruses are discovered. If you pay attention to
places like the SANS Internet Storm Center (incidents.org), or mail
lists that deal with these things (Dshield, Incidents, etc, or right
here in Snort-Sigs), you will notice that Snort rules are created as
soon as someone has "seen" or analyzed the issue. In some cases within
just hours.

The main reason is that the rules and the syntax are open and available.
Commercial vendors (like traditional Anti-Virus vendors  that now also
"do" IDS/IPS), come out with updates pretty fast as well. However, you
are relying on that commercial entity. If a researcher discovers an
issue, he will notify the public at large (typically with a Snort
signature). Vendors will pick this information up and then make their
own updates available. Sometimes these commercial vendors have IDS that
even understand the Snort rule syntax.

I think that almost makes Snort rules the de facto standard in the IDS
industry, and the quickest "to market" with updated rules.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040527/c7c0bb47/attachment.sig>

More information about the Snort-sigs mailing list