Snort mailing list archives
Re: About virus.rules
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 17 May 2004 18:38:36 -0500
On Mon, 2004-05-17 at 16:53, Michael Sconzo wrote:
Similiar to what we do around here at TAMU for the 40+ snort boxes we have out in the wild. I figued it would be a benefit to most people (especially .edu's) that are trying to be good 'net neighbors to everybody else, due to the nature of our user base. I try to monitor the snort-sigs list and a few other places to try and keep up with worm rules, due to problems they cause around here. Figured it might be a good way to help give back...but oh well.
Mike, I didn't mean to talk you out of it. But have you fully considered the effort-benefit factor? It sounds like you already have started to extend the virus.rules files in your .edu. How many rules do you have in there? Does it impact performance? Can you keep up? If so, what process do you have to add them? Don't get me wrong. I'm all for sharing. But there also has to be one standard -- the official Snort rule set. Perhaps you want to Matthew and James (see postings from end of April in Snort-sigs) to see if they want to include that in their custom rule base? Or you can set up a central virus.rules repository yourself or at SourceForge or wherever, so that you and other can share it. I think everyone should make their custom rules available. That's what snort-sigs is for. If you have a new virus sig rule, pass it on snort-sigs. As far a central repository for everyone, I don't think that is going to work. Everyone has different needs or configurations, and doesn't want to load the full set someone else might be using (especially with all those false-positive prone rules). But the lack of a central repo doesn't mean that we can't share. (I'm sorry if I'm not making sense.... had too much work and too little sleep lately...) Regards, Frank (sometime coffee-shop something)
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- About virus.rules etienne . causse (May 17)
- Message not available
- Re: About virus.rules Matt Kettler (May 17)
- Re: About virus.rules Michael Sconzo (May 17)
- Re: About virus.rules Frank Knobbe (May 17)
- Re: About virus.rules Michael Sconzo (May 17)
- Re: About virus.rules Frank Knobbe (May 17)
- Re: About virus.rules Jason Haar (May 17)
- Re: About virus.rules Matt Kettler (May 17)
- Message not available
- Re: About virus.rules kenw (May 29)
- Re: About virus.rules Nick Hatch (May 29)