[Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

Erik Fichtner emf at ...3056...
Wed Jun 8 13:46:18 EDT 2005

On Wed, Jun 08, 2005 at 03:26:44PM -0500, Eric Hines wrote:
> We're Bleeding-edge sponsors and I personally as an admin contribute to the
> project as well. No need to remind me of the Bleeding-edge Mantra or
> disclaimers. 

...Says the guy that set up his paying customers to automatically download
a pile of rules from the bleeding-edge repository.    Do we have to go
off and rename it "This-Will-Tear-Your-Sensor-A-New-SnortHole-sigs" ?

C'mon.  Don't blame us for your design decisions.

> The fact of the matter is, going off and creating a bunch of custom
> variables outside of the standard variables declared in the default
> snort.conf should be up to the individual user. Imagine what would happen if
> every person out there who contributes a Bleeding-edge snort rule decided to
> go off and make their own variables for all their sigs -- that would be
> thousands of new variables people would need to add to their snort.conf -- I
> mean come on.
> You misspoke regarding your statement on buggy tools. Software isn't buggy
> because it doesn't go in to a rules file for the user and add custom
> variables that you conjure up.

# this is my crazy rule, watch out!
var HTTP_PORTS [4323:5000]
alert tcp any any -> any $HTTP_PORTS (msg:"crazy rule"; sid: 111111111; ... )
var HTTP_PORTS 9999
alert tcp any any -> any $HTTP_PORTS (msg:"crazy rule"; sid: 111111111; ... )
# okay, the craziness is done.

..is perfectly valid snort configuration syntax.  the ONLY difference
between snort.conf and $mumble.rules is *CONVENTION*.    You ignore this
at your peril.

Allowing variables near rules is desirable. 

Boy, are your customers going to be pissed off when I leak a rule that
comes with its own ruletype specifier and have a compelling enough
reason that everyone agrees to publish it. 

Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050608/47fffcbc/attachment.sig>

More information about the Snort-sigs mailing list