Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Location For (Bleeding-Edge) Snort Sigs

Posted by timothy on from the because-malware-sucks dept.

Vantage writes "A few of us have gotten together and built a snort 'signature repository.' ... This is a place for everyone to post their personal and company-made signatures and to take a look at and use those submitted by others. It is by no means a replacement for the snort.org signature base, but it will help to get signatures out there for brand new vulnerabilities. We are hoping that those snort users in the /. community will add there sigs to this database. We are looking to add any and all signatures herem so please feel free to post all of your sigs."

26 comments

  1. Please tell us more by Anonymous Coward · · Score: 0
    Please tell us more about this. Sounds interesting.

    This sig not to be posted in sig repository.

  2. Um.. built? by Nutcase · · Score: 4, Insightful

    Maybe it's just me, but isn't the link pointing at a raw phpbb2 install with very very little customizaiton?

    Is this just a forum for posting stuff, with the concept being "post snort sigs here asap"?

    Why would anyone anywhere use this? you lose all the potential that the concept has by slamming it into a generic system. Why not create a db system that has various intrusion characteristics as bools, and you can attach a sig to a textual report with flagged characteristics, and then let admins and such search the db by characteristic or description text, or affected apps/protocols, etc. Other admins could hit a "have seen in wild" button to let the site rank various intrusion techniques by how common they are.. There is a lot of potential, and it is all squandered. Back to the drawing board.

    1. Re:Um.. built? by sinergy · · Score: 1

      Great ideas. Too bad I think the only response you'll likely get on here by suggesting all of this is "why don't you do it yourself."

      --
      ...
    2. Re:Um.. built? by Nutcase · · Score: 1

      Hehe. I probably could build the app, but I don't know anything about intrusion detection at all, and don't have the time to learn. (And thus I have no desire to spend the time building the app)

      Those ideas were just from looking at what snort is on their page, and taking a guess at what a snort sig does based on the post and the app page.

      My first thought was that this entire story was just a clever troll of some type. I mean, my ideas took about 2 minutes from a complete dead start with no real interest in the problem. And they still show more effort and initative than these clowns did. Show some pride people - actually aim for more than the bottom. Jeez.

      In writing this, I realize that I am turning into my grandpa about 50 years too early. Ugh.

  3. phpBB2? by Ianoo · · Score: 2, Interesting

    That's like, what, a five click install process? No offense, but it doesn't strike me as the ideal software for doing this, let alone hard to set up. You haven't even customised it. You haven't even bought a domain name for this site. It's an interesting idea, but you really need to work on your web marketing skills. But it won't matter, since on a shared server with a MySQL backend I expect the site will be /.ed in about T-minus five minutes.

    1. Re:phpBB2? by Anonymous Coward · · Score: 0

      "But it won't matter, since on a shared server with a MySQL backend I expect the site will be /.ed in about T-minus five minutes."

      Right after the MySQL backend on slashdot itself gets slashdotted?

  4. MySQL database login details by Anonymous Coward · · Score: 4, Funny

    See who will be the first to hack the site:

    config.php

    1. Re:MySQL database login details by Ianoo · · Score: 1

      ... and these guys claim to be a security company?

    2. Re:MySQL database login details by Nutcase · · Score: 1

      No wonder their name starts with 'git'

      (too british, i wonder?)

    3. Re:MySQL database login details by Vantage · · Score: 1

      Uhhh well looking at a default phpBB directory that is not active and not connected to a DB I feel pretty safe that the info there is useless to you....

    4. Re:MySQL database login details by Anonymous Coward · · Score: 0
      ...which is why you quickly pulled it once it showed up on Slashdot.

      Security company. Yeah. Right.

    5. Re:MySQL database login details by JWSmythe · · Score: 1


      I've heard it in American law enforcement. I believe it has the same meaning. :) Usually meaning a juvenile, and acting exactly as one.

      --
      Serious? Seriousness is well above my pay grade.
    6. Re:MySQL database login details by $rtbl_this · · Score: 1

      IIRC, the literal meaning is "a pregant camel". That one doesn't come up too often, though.

      --
      "Are you being weird, or sarcastic?" said Emma. I said I didn't know because I get the two feelings mixed up.
  5. quickly set up crappy site by pizza_milkshake · · Score: 3, Funny

    it's so bleeding edge, there's no time to set things up! hurry!

  6. Systems by Vantage · · Score: 4, Informative

    Well we are working on other options this seamed like the easiest and fastest way to get the idea off the ground... Does anyone have any software suggestions... Other than slashcode?? We are looking at CVS....

    1. Re:Systems by JWSmythe · · Score: 1

      Write one? How hard is it to put together a few pages to insert and read a table? Then it'll do exactly what you want it to do, without a bunch of fluff.

      I don't recommend Slashcode. It's really big, and does lots and lots of great stuff, but literally you'll spend the first month trying to figure the whole thing out. If you want a site like Slashdot, then go for it, but it didn't appear that's what you were trying to do.

      --
      Serious? Seriousness is well above my pay grade.
    2. Re:Systems by jrexilius · · Score: 2, Informative

      One of the earlier posts had a few suggestions that may have been worthwhile that would require a bit of customization.

      What, in addition to public access to shared sigs, are you really trying to get at? Would a moderation/voting/popularity function be desired, a wiki-style public read/write forum where they could evolve, better search and classification capabilities, etc.?

      By the way, its not a bad idea, but it would have helped to be more descriptive in your vision for it and maybe better tool selection.

      If you would like I have a generic PHP framework and database interaction page that you could use, the real issue would be the schema and then the search/browse/vote/classify UI.

    3. Re:Systems by Anonymous Coward · · Score: 0

      Read what Nutcase posted. All you've done is put up a glorified guestbook and expect it to be useful.

  7. Snorting cigs? by Carnildo · · Score: 2, Funny

    I thought cigs were something you smoked, not something you snorted!

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    1. Re:Snorting cigs? by theefer · · Score: 1

      Looking at the website, I would say they were not aware of that.

      --
      theefer
  8. What the fuck is a 'snort'? by c0d3h4x0r · · Score: 0, Flamebait

    As far as I know, it's that obnoxious whiny little red animal from Thundercats. I hate it when they post a story with little clue as to what it's even about.

    --
    Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
    1. Re:What the fuck is a 'snort'? by illuvata · · Score: 2, Informative

      The Open Source Network Intrusion Detection System

    2. Re:What the fuck is a 'snort'? by isorox · · Score: 2, Informative

      You're thinking of Snarf

  9. RE: Snort rules by atomic-penguin · · Score: 4, Insightful

    Doesn't snort.org keep a public repository of Snort signatures? I am pretty sure anyone can make a submission to their set of rules. It's open-source software, rather than forking rules elsewhere they should be submitted to the sourceforge group (so they can be corrected, improved, built into the software as preprocessors and so on). Maybe I am misunderstanding something. I don't really understand the point of doing this.
    I maintain 3 snort servers. Most of my snort rules are very uninteresting, and are used in limiting alerts, and getting rid of false positives due to limited computer resources. We cannot afford to have 10,000 or more alerts per day. The most interesting thing I have written for snort is a simple update utility that gets new rules every 24 hours.

    Just my 2 cents.

    --
    /^([Ss]ame [Bb]at (time, |channel.)){2}$/
  10. That would require editors. by EnglishTim · · Score: 0, Offtopic

    And Slashdot doesn't have editors.

  11. Re: Snort rules by Vantage · · Score: 2, Interesting

    If you like submit the update utility... I use oinkmaster and have had good luck but if someone has another option... it would be interesting to look at.

    As for the reasoning behind this. I have debated this with dozens of people in the last week. Snort.org and the sourceforge snort list are great resources.. but few people submit things that they think are only good for there INTERNAL use and nothing makes it into the signature-base until it gets approved... in my instalation and in others there is a need for a good source of sigs for exploits that have JUST been released. Snort.org doesnt want to, and I agree with them, start releasing untested signatures... They do an increadable job. I, and several others, wanted a place we could put our signatures for brand new stuff. so we each didnt have to write a new signature while we were waiting for the "official" sig to be released into the snort sig-base. This place give us a place to submit our sigs and use each others and it allows us to cut down on the maintenance time that we spend on our snort installs. It is a usefull place for us and I hope it becomes a usefull place for others in our situation.

    As for your rules being uninteresting... I bet there is someone out there that would find them handy... Its not like it is hard to post them... and maybe someone can use them... I say post what you have... it cant hurt and it might help someone out!!