[Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

Matt Jonkman matt at ...2436...
Wed Jun 8 21:56:04 EDT 2005


Eric Maheo wrote:
> well.. confronted with the absurdity of Erik Fichtner's comments it is
> hard to find arguments since he is spinning the facts..

I'd disagree that there's absurdity from Erik. But either way, I added
the var to the BS rules, not Erik. I'm the person to talk to about it.
Erik just proposed sigs, I edited them, approved them and committed
them. It was me 4 days later that removed the var crutch from the sigs
assuming after 2 business days folks would have either seen the 2
announcements on the site and the mailing lists, or seen it in the diff
emails sent to both lists.

> 
> Now that said, let's try to be constructive..
> 

Agreed

> 2 or 3 months ago Sourcefire and Bleeding Edge created the OSSRC. it is
> a very nice idea to avoid duplication of rules, overlapping of sids
> and....
> I think OSSRC should also be the provider of VARIABLES.

That'd be a good thing if ossrc gets rolling. It's not there now, and
may be a while. I'm not willing to suppress very useful rules in the
meantime.

> Now I see 2 solutions:
> 	-a solution is to remove this variable.

Ummm.. Why?  Can't you add it? If you need help with vi let me know.  :)

> 	-an other solution is to ask Sourcefire to add this variable in the
> snort.conf..

Already been done. Waiting on a response.

I wish the subject would die off here. We added a var. If you don't like
it then don't use those sigs. They're very easy to disable in any rule
manager.

if you're pushing rules without reading them and not tailoring the
changes to fit your needs then you're going to have more problems than a
new var.

If your customers (and anyone else for that matter) had a snort crash I
hate to hear that. I don't ever want to drive anyone away from snort or
bleeding snort for any reason. But this is a simple fix. Add the var,
restart. We're talking minutes at the most out of your day. And
hopefully a lesson learned not to trust anything blindly when you're
dealing with your own security.

I do hope folks trust us, but you should still check us. Not just
sometimes, but *every* time. If that doesn't make sense you shouldn't be
in this field.

Matt


--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list