[Snort-sigs] Rule Set Completness

Jennifer Steffens jennifer.steffens at ...435...
Wed May 10 14:34:03 EDT 2006

Frank Knobbe wrote:
> On Tue, 2006-05-09 at 11:36 -0400, Matt Jonkman wrote:
>>> see also: OSSRC Rules Overlap Committee.
>> There are some dupes now. We are trying to work them out with the SF
>> folks via the overlap committee. It's slow at the moment. That committee
>> is just getting it's legs, and has a lot of work ahead of it. But have
>> faith, I know they'll get into motion soon!
> Is it? The last email in the ossrc list was from me back in September of
> last year. Looks to me like OSSRC curled up and died. 

The OSSRC Intro list was designed just to get the ball rolling. We
use separate lists for board and committee communications. We can easily
set up an OSSRC member discussion list if you think it would be helpful
and there are others that are interested.

Especially considering the recent rash of duplicate signatures put forth by
the SF guys in regards to malware/spyware sigs and little sigs like Nugache.

As has been mentioned before, the VRT Certified Rulesets that
Sourcefire provides to the community are the same rulesets we provide to
our Sourcefire 3D customers. With that in mind, the issue of duplicate
rules is something that can only be addressed in terms of
identification, recommendation, and coordination. The VRT ruleset will
always provide the most comprehensive and accurate detection available
for the things Sourcefire customers are interested in.

In regards to the recent spyware release, Sourcefire VRT customers
requested coverage for these items and the VRT researched, audited,
tested, documented, and released the PUT category. In an ongoing effort,
the VRT is currently working with folks from Bleeding Snort to identify
duplicates so they can be addressed. A recent example of Sourcefire
efforts would be the community rule set moving to using a
community-sid-msg.map and prepending all flowbits in the community set
with the string "community".   Just to make sure there were no
collisions within all rulesets. I have yet to see other rule
distributions follow suit.

It is unfortunate that there is no standard reference for malware so the
work of identifying overlap is slow and arduous. If you have a list of
duplicates with some notes on which ones you think should stay and which
should go, please send it along. It would be a great help.

> I have the impression that no one cares anymore about avoiding
> duplicates. Then again, licensed VRT sigs were excluded from that
> anyway.
> And I have yet to see anything in regards to the SID allocation project
> either. Perhaps we need to start a small SID allocation database at
> BleedingSnort. Shouldn't take more than a couple days to set up.

The issue of SID allocation was tabled temporarily at the request
of the Rules Overlap Committee as it is a natural byproduct of their
work. In the meantime, if a group would like alloted SIDs, they just
need to let us know. We have done this for the Bleeding Snort, Community
and User-defined rulesets.

The OSSRC was formed to help out everyone in the community make sure
that things run smoothly overall. It was never intended to replace the
need for communication on the lists and directly between the various
groups. As folks continue to volunteer, the group will be able to
accomplish more and more.


Jennifer Steffens
Director, Product Management - Snort
Sourcefire, Inc

More information about the Snort-sigs mailing list