[Snort-users] Snort Signature – Rule Documentation

Carlos Felix snort at ...8664...
Wed Jul 2 22:13:07 EDT 2003


Snort Signature – Rule Documentation

I have asked this once before here but it either got lost in the line
noise or no one cared enough to even tell me to shut up and take a hike
but I’ll ask again and also try to make some other points.

Is there any way to download the Snort Signature Database Rule
documentations? How about the related database/info from arachNIDs, or
CVE, or Bugtrap, etc.?

The reason for the question is that I have to generate reports for my boss
on the results of the previous day triggered signatures and if I give him
a copy of the rule he will look at it like a monkey trying to do some high
level Calculus and ake me to explain so I have made a new table to my
Snort alert DB that I call in during a report to correlate the SID of the
triggered rule to some plain old English text that explains it in some
form of carbon based life form can understand. With that said I am willing
to post the table and its content if anyone is interested in what I have
so far. What I have done is lookup the SID on the snort page and copied
the English explanation of the rule to a field. Sometimes when the rule is
not explained at the snort website but has reference to CVE, Bugtrap,
arachNIDS, etc. I go to those sources to get the info on the rule and put
it in the table. To that end I have sometimes taken pieces of info from
one site and some other info from another site and son on to make a
reasonable explanation of the rule.
Something that I have found in all this searching for info is that the
Snort site never references the ISS explanations for some of these rules
(and what I have gotten from ISS has to be the BEST damm documentation of
some of these rules) – Is there a reason for this ? Other than maybe the
folks that maintain the snort website are busy with other things – I mean
I understand that the folks that maintain the website have real jobs that
need to be tended to before work can go into a GNU project.

Carlos





More information about the Snort-users mailing list