Snort mailing list archives
Snort Signature Rule Documentation
From: "Carlos Felix" <snort () xiata com>
Date: Thu, 3 Jul 2003 00:12:58 -0500 (EST)
Snort Signature Rule Documentation I have asked this once before here but it either got lost in the line noise or no one cared enough to even tell me to shut up and take a hike but Ill ask again and also try to make some other points. Is there any way to download the Snort Signature Database Rule documentations? How about the related database/info from arachNIDs, or CVE, or Bugtrap, etc.? The reason for the question is that I have to generate reports for my boss on the results of the previous day triggered signatures and if I give him a copy of the rule he will look at it like a monkey trying to do some high level Calculus and ake me to explain so I have made a new table to my Snort alert DB that I call in during a report to correlate the SID of the triggered rule to some plain old English text that explains it in some form of carbon based life form can understand. With that said I am willing to post the table and its content if anyone is interested in what I have so far. What I have done is lookup the SID on the snort page and copied the English explanation of the rule to a field. Sometimes when the rule is not explained at the snort website but has reference to CVE, Bugtrap, arachNIDS, etc. I go to those sources to get the info on the rule and put it in the table. To that end I have sometimes taken pieces of info from one site and some other info from another site and son on to make a reasonable explanation of the rule. Something that I have found in all this searching for info is that the Snort site never references the ISS explanations for some of these rules (and what I have gotten from ISS has to be the BEST damm documentation of some of these rules) Is there a reason for this ? Other than maybe the folks that maintain the snort website are busy with other things I mean I understand that the folks that maintain the website have real jobs that need to be tended to before work can go into a GNU project. Carlos ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Signature Rule Documentation Carlos Felix (Jul 02)
- Re: Snort Signature Rule Documentation Rich Adamson (Jul 03)
- Re: Snort Signature – Rule Documentation Michael L. Artz (Jul 03)