Re: About virus.rules

[Frank Knobbe <frank () knobbe us>]

On Mon, 2004-05-17 at 16:53, Michael Sconzo wrote:
> Similiar to what we do around here at TAMU for the 40+ snort boxes
> we have out in the wild.  I figued it would be a benefit to most
> people (especially .edu's) that are trying to be good 'net neighbors
> to everybody else, due to the nature of our user base.  
>
> I try to monitor the snort-sigs list and a few other places to try
> and keep up with worm rules, due to problems they cause around here.
> Figured it might be a good way to help give back...but oh well.

Mike,

I didn't mean to talk you out of it. But have you fully considered the
effort-benefit factor? It sounds like you already have started to extend
the virus.rules files in your .edu. How many rules do you have in there?
Does it impact performance? Can you keep up? If so, what process do you
have to add them?

Don't get me wrong. I'm all for sharing. But there also has to be one
standard -- the official Snort rule set.

Perhaps you want to Matthew and James (see postings from end of April in
Snort-sigs) to see if they want to include that in their custom rule
base? Or you can set up a central virus.rules repository yourself or at
SourceForge or wherever, so that you and other can share it. I think
everyone should make their custom rules available. That's what
snort-sigs is for. If you have a new virus sig rule, pass it on
snort-sigs.

As far a central repository for everyone, I don't think that is going to
work. Everyone has different needs or configurations, and doesn't want
to load the full set someone else might be using (especially with all
those false-positive prone rules). But the lack of a central repo
doesn't mean that we can't share.

(I'm sorry if I'm not making sense.... had too much work and too little
sleep lately...)

Regards,
Frank
(sometime coffee-shop something)

Attachment: signature.asc
Description: This is a digitally signed message part