Snort mailing list archives
Re: Re: Status of Snort and the Rules - Stalled???
From: Jukka Juslin <jtjuslin () hutcs cs hut fi>
Date: Fri, 25 Jul 2003 10:56:04 +0300 (EEST)
Hi, I think quite a many Snort rules are really old and a whole update of some Snort rulesets may have happened a long time ago. "A long time" in security field can be a short time - think about the Window of Vulnerability" for example, when there is yet no patch. You could at least detect if there is an attack. Snort falls far back from Nessus, where new plugins are coming in much faster. Behind Nessus, there is only one person, who basically does most of the work. Perhaps this is the only working "open source" model... I think the author of Snort is busy doing something else, which is totally understandable. Perhaps the required documentation of new rules, to be included in the distribution, could be made less. This would speed up release. Also, if I seem to have been able to make a useful rule (which I am indeed able to test), I would like it to get included in the Snort distribution asap. Even though an old idea, a public web based rating for plugins might help. If a certain new plugin gets enough yes votes, if could be automatically added to the distiribution (and no "no" votes). Well, human intervention is required anyway. If there would be somebody, who is competent and willing to spend a lot of time with Snort signatures, I think he/she should be given the political power to decide, develop and add new signatures. I think the main interest of the old developers is on the Snort "Engine" side. Jukka On Fri, 25 Jul 2003, Francesco wrote: ->Recently. ->ISS sent out this message to some of their customers and partners -> ->(..) ->I did some recent checking into our Network IDS competition and how they ->went about protecting their customers from the new Microsoft vulnerability ->(http://xforce.iss.net/xforce/alerts/id/147). X-Force shipped XPUs for this ->vulnerability and the big Cisco DoS already (7/18 and 7/19). Here is how ->everyone else stacks up: -> -> Symantec Manhunt No protection -> Cisco IDS No protection -> Netscreen No protection -> Intruvert/NAI No protection -> Snort No protection -> ->(..) ->The promotional purpose is clear but the content is not far from what ->everyone here would like to say first. -> ->Now, the question everyone can ask is: what is the status with such ->rule/exploit? ->Some of us are better than others to release and support new rules. I had ->a look at the RPC rules, its status is : v. 1.46, released June 2003. -> ->I'd like to contribute in an active manner, but maybe my resources are ->scarce on this side. ->Nonetheless, some sort of priority could really be necessary in cases like ->this. -> ->Comments? ->Francesco -> -> -> -> ->------------------------------------------------------- ->This SF.Net email sponsored by: Free pre-built ASP.NET sites including ->Data Reports, E-commerce, Portals, and Forums are available now. ->Download today and enter to win an XBOX or Visual Studio .NET. ->http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 ->_______________________________________________ ->Snort-users mailing list ->Snort-users () lists sourceforge net ->Go to this URL to change user options or unsubscribe: ->https://lists.sourceforge.net/lists/listinfo/snort-users ->Snort-users list archive: ->http://www.geocrawler.com/redir-sf.php3?list=snort-users -> -- Jukka Juslin (M.Sc.) "Teatterissa vallitsi täysi sekasorto. http://www.cs.hut.fi/u/jtjuslin/ Toiset huusivat sitä, toiset tätä, Jukka.Juslin () hut fi eivätkä useimmat edes tienneet + 358 40 520 9879 miksi oli kokoonnuttu." Apostolien teot 19:32 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Status of Snort and the Rules - Stalled??? Michael Steele (Jul 23)
- Re: Status of Snort and the Rules - Stalled??? Bennett Todd (Jul 23)
- Re: Status of Snort and the Rules - Stalled??? Matt Kettler (Jul 23)
- Re: Status of Snort and the Rules - Stalled??? Chris Green (Jul 24)
- <Possible follow-ups>
- Status of Snort and the Rules - Stalled??? Michael Steele (Jul 23)
- Re: Status of Snort and the Rules - Stalled??? Francesco (Jul 24)
- Re: Re: Status of Snort and the Rules - Stalled??? Jukka Juslin (Jul 25)
- Re: Re: Status of Snort and the Rules - Stalled??? Bruno Saverio Delbono (Jul 25)
- Re: Re: Status of Snort and the Rules - Stalled??? Jukka Juslin (Jul 25)
- Re: Status of Snort and the Rules - Stalled??? Bennett Todd (Jul 23)