IDS mailing list archives
Re: Signature development
From: "Srinivasa Rao Addepalli" <srao () intotoinc com>
Date: Mon, 16 Jun 2003 11:34:12 -0700
Hi,
I don't think there is any single place to collect this information.
You need to be looking out at different places to get this information.
Some of the data points for developing signatures are:
www.cert.org
bugtraq, vuln-dev mailing list and archives at www.securityfocus.com
You can also see existing signatures at:
www.snort.org
www.whitehats.com/ids/index.html
Srini
Intoto Inc.
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message -----
From: <ravivsn () roc co in>
To: <focus-ids () securityfocus com>
Sent: Tuesday, June 10, 2003 10:05 AM
Subject: Signature development
Hi,
Thank you for the great answers on my earlier subject :
Help in evaluating
IDS/IPS solutions. I got several emails to my mail box
directly too. Interestingly (to me), good number of respondents
asked me to look at inline_snort.
Though we plan to resell the IDS solution, we are also will
be directly responsible in maintaining the IDS solution in
our customer base. Our customers expect us to select the
IDS vendor and provide security in timely manner. It is onus
on us to get the right IDS vendor and it is our responsibility
to provide signatures in timely manner. What it means is that,
my company needs to produce signatures yet times, if the
IDS vendor is slow to respond. In this context, some of company
management thinks that in the long run, having control over
software and development of signatures is good for us. I
don't want to bother you with these details, but what I find
is that, we need to be pro-active in providing new signatures
for new exploits in timely manner. In this context,
I have following questions.
1. How do we get to know the new exploits? We found the
www.cert.org provides advisories. We also find that
www.securityfocus.com bugtraq list, which has exploit
scripts/programs to some extent.
Are there any other resources?
2. These advisories have very high level information on the
exploit and patches from application vendors. But, they
don't have any information on exact details on the exploit.
To write the signatures, more information on the exploit
is required, such as exploit details, attack scripts.
Even if there is no script, detailed information on the
exploit is required to write and test the signature.
Where do I find this? Is there any list (commercial or free)
to get this information?
I tried to search in cert.org and securityfocus.com for
this info on internet, but could not.
Any information on this greatly appreciated.
Thanks and regards
Ravi
-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and analysis
- enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------
------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Signature development ravivsn (Jun 12)
- Re: Signature development Srinivasa Rao Addepalli (Jun 17)
- <Possible follow-ups>
- Re: Signature development Srinivasa Rao Addepalli (Jun 17)