[Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

Eric Hines eric.hines at ...1663...
Wed Jun 8 13:29:41 EDT 2005


We're Bleeding-edge sponsors and I personally as an admin contribute to the
project as well. No need to remind me of the Bleeding-edge Mantra or

The fact of the matter is, going off and creating a bunch of custom
variables outside of the standard variables declared in the default
snort.conf should be up to the individual user. Imagine what would happen if
every person out there who contributes a Bleeding-edge snort rule decided to
go off and make their own variables for all their sigs -- that would be
thousands of new variables people would need to add to their snort.conf -- I
mean come on.

You misspoke regarding your statement on buggy tools. Software isn't buggy
because it doesn't go in to a rules file for the user and add custom
variables that you conjure up.

As admins at Bleeding-Edge, we've been hard at work trying to standardize
the rules that come in. Before we implemented the web-based rule submission
system, people would submit rules without classifications or priorities,
oft-breaking Snort because of this. The last thing I want to see happen is
everyone begin creating their own variables (EHINES_POP3, MY_COOL_FTP_VAR,
etc)... Variables are fine for services that often run on more than one
common port number (e.g. HTTP), but what's next? A variable for FTP?

Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
1134 N. Main St.
Algonquin, IL 60102
Tel: (877) 262-7593 e:327
Fax: (877) 262-7593
Mob: (847) 456-6785
Web: http://www.appliedwatch.com
Enterprise Snort Management at http://www.appliedwatch.com.
Security Information Management for the Open Source Enterprise.
-----Original Message-----
From: Erik Fichtner [mailto:emf at ...3056...] 
Sent: Wednesday, June 08, 2005 2:55 PM
To: Eric Hines
Cc: 'Matt Jonkman'; bleeding-sigs at ...2727...; 'snort-sigs
Subject: Re: [Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

On Wed, Jun 08, 2005 at 02:44:28PM -0500, Eric Hines wrote:
> These new SSH signatures brought down all of our customer's Snort 
> installations because that SSH_PORTS variable is not in the default 
> snort.conf file.

An alert was posted about requiring the variable a full day before the rules
were posted.

> I can't see anyone needing a variable for SSH port 22. Can we kill the 
> variable?

People who specifically run ssh on nonstandard ports *asked* for the
variable.  They're also the ones that asked for the rules.

> I can't imagine how the AWCC nor any other Snort management solution 
> that downloads signatures from the Bleeding-Edge database will then go 
> in to the users snort.conf file and create this new variable for the 
> user.

vars can be included directly in the .rules files.   If the management
solutions can't handle that, they are buggy.

> The AWCC now downloads signatures from bleeding-edge automatically, 
> I'm sure there are other tools that do the same. Will we then expect 
> everyone whose maintaining a Snort ruleset management tool to also go 
> in their and add the SSH_PORTS variable to the snort.conf file in the 
> case that they downloaded Eric's SSH rules?

bleeding-snort disclaims all liability for production difficulties.
Life on the bleeding edge is sometimes perilous.

You should at least look at the deltas before importing them.  You want the
rules to absolutely never crash your snort instance?  fetch them with the
source code tarball.

Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults in the
privacy of their own office" - Adam O'Donnell

More information about the Snort-sigs mailing list