[Snort-users] Ideas from within

Tom Vandepoel Tom.Vandepoel at ...271...
Wed Oct 4 05:06:29 EDT 2000


Keith Pachulski wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> While speaking with Joseph Yarbrough, we both came to the conclusion
> we need a new list to post new IDS signatures to or permit the
> posting of new IDS signatures when they are developed to the snort
> list. The daily and weekly update functionality that whitehats had
> was a great help. Unfortunately that function is not there anymore
> for everyone to post new signatures. A new list for posting IDS sigs
> or posting to the current snort list seems like the next best option.
> 

I'm all for it. Rule development is lost in the noise of other questions
otherwise. It doesn't belong on the development list either, since it
has nothing to do with the snort code...
I'd be happy to contribute, if I know were to subscribe ;-)

I also feel ruleset development should be coordinated as much as
possible within the snort community. It makes no sense to have multiple
rulesets like the basic ruleset, rapidnet, whitehats... Luckily,
rapidnet = snort.org now, but I still feel all ruleset development
should be organized under snort.org.

Ofcourse, different people have different requirements for the rulebase,
creating a divergent need. But I think Jim has already addressed this
pretty well by defining different catagories. Especially the 'high
false' category is a very effective separation...

Snort rules are generally highly effective and most up-to-date of all of
the NIDS's I'm familiar with (Realsecure/AFJ/Netranger), but a lot of
rules still trigger too much false positives. There's still a lot of
tuning work needed to get that minimized. Ofcourse, snort itself is
still lacking some application level protocol decoding features, so some
attack types (typically HTTP URL stuff) can't be properly defined
without triggering too much falses... but overall, I'm very happy with
snort and I would choose it over any commercial NIDS anytime, mostly
because of its ability to be tuned at the ruleset level.

It may not be the most technically advanced in some areas (application
level protocol logic -> AFJ is pretty good at that), but in practice, I
still feel its the most effective NIDS there is right now.

So, all you snorters out there, keep up the cool work!

Tom.

-- 
_________________________________________________

Tom Vandepoel
Sr. Network Security Engineer

www.ubizen.com
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
_________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2884 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001004/24a8dbef/attachment.bin>


More information about the Snort-users mailing list