Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Location For (Bleeding-Edge) Snort Sigs

Posted by timothy on from the because-malware-sucks dept.

Vantage writes "A few of us have gotten together and built a snort 'signature repository.' ... This is a place for everyone to post their personal and company-made signatures and to take a look at and use those submitted by others. It is by no means a replacement for the snort.org signature base, but it will help to get signatures out there for brand new vulnerabilities. We are hoping that those snort users in the /. community will add there sigs to this database. We are looking to add any and all signatures herem so please feel free to post all of your sigs."

11 of 26 comments (clear)

  1. Um.. built? by Nutcase · · Score: 4, Insightful

    Maybe it's just me, but isn't the link pointing at a raw phpbb2 install with very very little customizaiton?

    Is this just a forum for posting stuff, with the concept being "post snort sigs here asap"?

    Why would anyone anywhere use this? you lose all the potential that the concept has by slamming it into a generic system. Why not create a db system that has various intrusion characteristics as bools, and you can attach a sig to a textual report with flagged characteristics, and then let admins and such search the db by characteristic or description text, or affected apps/protocols, etc. Other admins could hit a "have seen in wild" button to let the site rank various intrusion techniques by how common they are.. There is a lot of potential, and it is all squandered. Back to the drawing board.

  2. phpBB2? by Ianoo · · Score: 2, Interesting

    That's like, what, a five click install process? No offense, but it doesn't strike me as the ideal software for doing this, let alone hard to set up. You haven't even customised it. You haven't even bought a domain name for this site. It's an interesting idea, but you really need to work on your web marketing skills. But it won't matter, since on a shared server with a MySQL backend I expect the site will be /.ed in about T-minus five minutes.

  3. MySQL database login details by Anonymous Coward · · Score: 4, Funny

    See who will be the first to hack the site:

    config.php

  4. quickly set up crappy site by pizza_milkshake · · Score: 3, Funny

    it's so bleeding edge, there's no time to set things up! hurry!

  5. Systems by Vantage · · Score: 4, Informative

    Well we are working on other options this seamed like the easiest and fastest way to get the idea off the ground... Does anyone have any software suggestions... Other than slashcode?? We are looking at CVS....

    1. Re:Systems by jrexilius · · Score: 2, Informative

      One of the earlier posts had a few suggestions that may have been worthwhile that would require a bit of customization.

      What, in addition to public access to shared sigs, are you really trying to get at? Would a moderation/voting/popularity function be desired, a wiki-style public read/write forum where they could evolve, better search and classification capabilities, etc.?

      By the way, its not a bad idea, but it would have helped to be more descriptive in your vision for it and maybe better tool selection.

      If you would like I have a generic PHP framework and database interaction page that you could use, the real issue would be the schema and then the search/browse/vote/classify UI.

  6. Snorting cigs? by Carnildo · · Score: 2, Funny

    I thought cigs were something you smoked, not something you snorted!

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  7. Re:What the fuck is a 'snort'? by illuvata · · Score: 2, Informative

    The Open Source Network Intrusion Detection System

  8. RE: Snort rules by atomic-penguin · · Score: 4, Insightful

    Doesn't snort.org keep a public repository of Snort signatures? I am pretty sure anyone can make a submission to their set of rules. It's open-source software, rather than forking rules elsewhere they should be submitted to the sourceforge group (so they can be corrected, improved, built into the software as preprocessors and so on). Maybe I am misunderstanding something. I don't really understand the point of doing this.
    I maintain 3 snort servers. Most of my snort rules are very uninteresting, and are used in limiting alerts, and getting rid of false positives due to limited computer resources. We cannot afford to have 10,000 or more alerts per day. The most interesting thing I have written for snort is a simple update utility that gets new rules every 24 hours.

    Just my 2 cents.

    --
    /^([Ss]ame [Bb]at (time, |channel.)){2}$/
  9. Re:What the fuck is a 'snort'? by isorox · · Score: 2, Informative

    You're thinking of Snarf

  10. Re: Snort rules by Vantage · · Score: 2, Interesting

    If you like submit the update utility... I use oinkmaster and have had good luck but if someone has another option... it would be interesting to look at.

    As for the reasoning behind this. I have debated this with dozens of people in the last week. Snort.org and the sourceforge snort list are great resources.. but few people submit things that they think are only good for there INTERNAL use and nothing makes it into the signature-base until it gets approved... in my instalation and in others there is a need for a good source of sigs for exploits that have JUST been released. Snort.org doesnt want to, and I agree with them, start releasing untested signatures... They do an increadable job. I, and several others, wanted a place we could put our signatures for brand new stuff. so we each didnt have to write a new signature while we were waiting for the "official" sig to be released into the snort sig-base. This place give us a place to submit our sigs and use each others and it allows us to cut down on the maintenance time that we spend on our snort installs. It is a usefull place for us and I hope it becomes a usefull place for others in our situation.

    As for your rules being uninteresting... I bet there is someone out there that would find them handy... Its not like it is hard to post them... and maybe someone can use them... I say post what you have... it cant hurt and it might help someone out!!