Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Location For (Bleeding-Edge) Snort Sigs

Posted by timothy on from the because-malware-sucks dept.

Vantage writes "A few of us have gotten together and built a snort 'signature repository.' ... This is a place for everyone to post their personal and company-made signatures and to take a look at and use those submitted by others. It is by no means a replacement for the snort.org signature base, but it will help to get signatures out there for brand new vulnerabilities. We are hoping that those snort users in the /. community will add there sigs to this database. We are looking to add any and all signatures herem so please feel free to post all of your sigs."

2 of 26 comments (clear)

  1. Um.. built? by Nutcase · · Score: 4, Insightful

    Maybe it's just me, but isn't the link pointing at a raw phpbb2 install with very very little customizaiton?

    Is this just a forum for posting stuff, with the concept being "post snort sigs here asap"?

    Why would anyone anywhere use this? you lose all the potential that the concept has by slamming it into a generic system. Why not create a db system that has various intrusion characteristics as bools, and you can attach a sig to a textual report with flagged characteristics, and then let admins and such search the db by characteristic or description text, or affected apps/protocols, etc. Other admins could hit a "have seen in wild" button to let the site rank various intrusion techniques by how common they are.. There is a lot of potential, and it is all squandered. Back to the drawing board.

  2. RE: Snort rules by atomic-penguin · · Score: 4, Insightful

    Doesn't snort.org keep a public repository of Snort signatures? I am pretty sure anyone can make a submission to their set of rules. It's open-source software, rather than forking rules elsewhere they should be submitted to the sourceforge group (so they can be corrected, improved, built into the software as preprocessors and so on). Maybe I am misunderstanding something. I don't really understand the point of doing this.
    I maintain 3 snort servers. Most of my snort rules are very uninteresting, and are used in limiting alerts, and getting rid of false positives due to limited computer resources. We cannot afford to have 10,000 or more alerts per day. The most interesting thing I have written for snort is a simple update utility that gets new rules every 24 hours.

    Just my 2 cents.

    --
    /^([Ss]ame [Bb]at (time, |channel.)){2}$/