[Snort-users] Re: Status of Snort and the Rules - Stalled???

Jukka Juslin jtjuslin at ...7943...
Fri Jul 25 07:18:14 EDT 2003


Hi,

I think quite a many Snort rules are really old and a whole update of
some Snort rulesets may have happened a long time ago. "A long time" in
security field can be a short time - think about the Window of
Vulnerability" for example, when there is yet no patch. You could at least
detect if there is an attack.

Snort falls far back from Nessus, where new plugins are coming in much
faster. Behind Nessus, there is only one person, who basically does most
of the work. Perhaps this is the only working "open source" model...

I think the author of Snort is busy doing something else, which is totally
understandable.

Perhaps the required documentation of new rules, to be included in the
distribution, could be made less. This would speed up release. Also, if I
seem to have been able to make a useful rule (which I am indeed able to
test), I would like it to get included in the Snort distribution asap.

Even though an old idea, a public web based rating for plugins might help.
If a certain new plugin gets enough yes votes, if could be automatically
added to the distiribution (and no "no" votes). Well, human intervention
is required anyway. If there would be somebody, who is competent and
willing to spend a lot of time with Snort signatures, I think he/she
should be given the political power to decide, develop and add new
signatures. I think the main interest of the old developers is on the
Snort "Engine" side.

Jukka

On Fri, 25 Jul 2003, Francesco wrote:

->Recently.
->ISS sent out this message to some of their customers and partners
->
->(..)
->I did some recent checking into our Network IDS competition and how they
->went about protecting their customers from the new Microsoft vulnerability
->(http://xforce.iss.net/xforce/alerts/id/147).  X-Force shipped XPUs for this
->vulnerability and the big Cisco DoS already (7/18 and 7/19).  Here is how
->everyone else stacks up:
->
->  Symantec Manhunt 		No protection
->  Cisco IDS  			No protection
->  Netscreen  			No protection
->  Intruvert/NAI  		No protection
->  Snort  			No protection
->
->(..)
->The promotional purpose is clear but the content is not far from what
->everyone here would like to say first.
->
->Now, the question everyone can ask is: what is the status with such
->rule/exploit?
->Some of us are better than others to release  and support new rules. I had
->a look at the RPC rules, its status is : v. 1.46, released June 2003.
->
->I'd like to contribute in an active manner, but maybe my resources are
->scarce on this side.
->Nonetheless, some sort of priority could really be necessary in cases like
->this.
->
->Comments?
->Francesco
->
->
->
->
->-------------------------------------------------------
->This SF.Net email sponsored by: Free pre-built ASP.NET sites including
->Data Reports, E-commerce, Portals, and Forums are available now.
->Download today and enter to win an XBOX or Visual Studio .NET.
->http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
->_______________________________________________
->Snort-users mailing list
->Snort-users at lists.sourceforge.net
->Go to this URL to change user options or unsubscribe:
->https://lists.sourceforge.net/lists/listinfo/snort-users
->Snort-users list archive:
->http://www.geocrawler.com/redir-sf.php3?list=snort-users
->

--
Jukka Juslin (M.Sc.)            "Teatterissa vallitsi täysi sekasorto.
http://www.cs.hut.fi/u/jtjuslin/ Toiset huusivat sitä, toiset tätä,
Jukka.Juslin at ...9731...              eivätkä useimmat edes tienneet
+ 358 40 520 9879                miksi oli kokoonnuttu." Apostolien teot 19:32




More information about the Snort-users mailing list