IDS mailing list archives
Re: Signature development
From: "Srinivasa Rao Addepalli" <srao () intotoinc com>
Date: Mon, 16 Jun 2003 11:34:12 -0700
Hi, I don't think there is any single place to collect this information. You need to be looking out at different places to get this information. Some of the data points for developing signatures are: www.cert.org bugtraq, vuln-dev mailing list and archives at www.securityfocus.com You can also see existing signatures at: www.snort.org www.whitehats.com/ids/index.html Srini Intoto Inc. Enabling Security Infrastructure 3160, De La Cruz Blvd #100 Santa Clara, CA 95054 www.intotoinc.com ----- Original Message ----- From: <ravivsn () roc co in> To: <focus-ids () securityfocus com> Sent: Tuesday, June 10, 2003 10:05 AM Subject: Signature development
Hi, Thank you for the great answers on my earlier subject : Help in evaluating IDS/IPS solutions. I got several emails to my mail box directly too. Interestingly (to me), good number of respondents asked me to look at inline_snort. Though we plan to resell the IDS solution, we are also will be directly responsible in maintaining the IDS solution in our customer base. Our customers expect us to select the IDS vendor and provide security in timely manner. It is onus on us to get the right IDS vendor and it is our responsibility to provide signatures in timely manner. What it means is that, my company needs to produce signatures yet times, if the IDS vendor is slow to respond. In this context, some of company management thinks that in the long run, having control over software and development of signatures is good for us. I don't want to bother you with these details, but what I find is that, we need to be pro-active in providing new signatures for new exploits in timely manner. In this context, I have following questions. 1. How do we get to know the new exploits? We found the www.cert.org provides advisories. We also find that www.securityfocus.com bugtraq list, which has exploit scripts/programs to some extent. Are there any other resources? 2. These advisories have very high level information on the exploit and patches from application vendors. But, they don't have any information on exact details on the exploit. To write the signatures, more information on the exploit is required, such as exploit details, attack scripts. Even if there is no script, detailed information on the exploit is required to write and test the signature. Where do I find this? Is there any list (commercial or free) to get this information? I tried to search in cert.org and securityfocus.com for this info on internet, but could not. Any information on this greatly appreciated. Thanks and regards Ravi ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Signature development ravivsn (Jun 12)
- Re: Signature development Srinivasa Rao Addepalli (Jun 17)
- <Possible follow-ups>
- Re: Signature development Srinivasa Rao Addepalli (Jun 17)