Snort mailing list archives

Re: Re: Status of Snort and the Rules - Stalled???

From: Jukka Juslin <jtjuslin () hutcs cs hut fi>
Date: Fri, 25 Jul 2003 10:56:04 +0300 (EEST)


Hi,

I think quite a many Snort rules are really old and a whole update of
some Snort rulesets may have happened a long time ago. "A long time" in
security field can be a short time - think about the Window of
Vulnerability" for example, when there is yet no patch. You could at least
detect if there is an attack.

Snort falls far back from Nessus, where new plugins are coming in much
faster. Behind Nessus, there is only one person, who basically does most
of the work. Perhaps this is the only working "open source" model...

I think the author of Snort is busy doing something else, which is totally
understandable.

Perhaps the required documentation of new rules, to be included in the
distribution, could be made less. This would speed up release. Also, if I
seem to have been able to make a useful rule (which I am indeed able to
test), I would like it to get included in the Snort distribution asap.

Even though an old idea, a public web based rating for plugins might help.
If a certain new plugin gets enough yes votes, if could be automatically
added to the distiribution (and no "no" votes). Well, human intervention
is required anyway. If there would be somebody, who is competent and
willing to spend a lot of time with Snort signatures, I think he/she
should be given the political power to decide, develop and add new
signatures. I think the main interest of the old developers is on the
Snort "Engine" side.

Jukka

On Fri, 25 Jul 2003, Francesco wrote:

->Recently.
->ISS sent out this message to some of their customers and partners
->
->(..)
->I did some recent checking into our Network IDS competition and how they
->went about protecting their customers from the new Microsoft vulnerability
->(http://xforce.iss.net/xforce/alerts/id/147).  X-Force shipped XPUs for this
->vulnerability and the big Cisco DoS already (7/18 and 7/19).  Here is how
->everyone else stacks up:
->
->  Symantec Manhunt            No protection
->  Cisco IDS                   No protection
->  Netscreen                   No protection
->  Intruvert/NAI               No protection
->  Snort                       No protection
->
->(..)
->The promotional purpose is clear but the content is not far from what
->everyone here would like to say first.
->
->Now, the question everyone can ask is: what is the status with such
->rule/exploit?
->Some of us are better than others to release  and support new rules. I had
->a look at the RPC rules, its status is : v. 1.46, released June 2003.
->
->I'd like to contribute in an active manner, but maybe my resources are
->scarce on this side.
->Nonetheless, some sort of priority could really be necessary in cases like
->this.
->
->Comments?
->Francesco
->
->
->
->
->-------------------------------------------------------
->This SF.Net email sponsored by: Free pre-built ASP.NET sites including
->Data Reports, E-commerce, Portals, and Forums are available now.
->Download today and enter to win an XBOX or Visual Studio .NET.
->http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
->_______________________________________________
->Snort-users mailing list
->Snort-users () lists sourceforge net
->Go to this URL to change user options or unsubscribe:
->https://lists.sourceforge.net/lists/listinfo/snort-users
->Snort-users list archive:
->http://www.geocrawler.com/redir-sf.php3?list=snort-users
->

--
Jukka Juslin (M.Sc.)            "Teatterissa vallitsi täysi sekasorto.
http://www.cs.hut.fi/u/jtjuslin/ Toiset huusivat sitä, toiset tätä,
Jukka.Juslin () hut fi              eivätkä useimmat edes tienneet
+ 358 40 520 9879                miksi oli kokoonnuttu." Apostolien teot 19:32


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Status of Snort and the Rules - Stalled??? Michael Steele (Jul 23)
- Re: Status of Snort and the Rules - Stalled??? Bennett Todd (Jul 23)
  - Re: Status of Snort and the Rules - Stalled??? Matt Kettler (Jul 23)
- Re: Status of Snort and the Rules - Stalled??? Chris Green (Jul 24)
- <Possible follow-ups>
- Status of Snort and the Rules - Stalled??? Michael Steele (Jul 23)
- Re: Status of Snort and the Rules - Stalled??? Francesco (Jul 24)
  - Re: Re: Status of Snort and the Rules - Stalled??? Jukka Juslin (Jul 25)
    - Re: Re: Status of Snort and the Rules - Stalled??? Bruno Saverio Delbono (Jul 25)