Home page logo
/

snort logo Snort mailing list archives

Re: Bases for writting snort rules
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 Jun 2013 11:14:09 -0400

The criteria on which they are written are the vulnerabilities or conditions that we find either through malware 
analysis, vulnerability analysis, etc, and we figure out what we need to write the rule to protect the customer from 
the attack.  There are just too many sources and criteria to easily list.

What is the reason you are asking?


On Jun 4, 2013, at 8:02 AM, Guy Martial Nkenne Tchassi <nkennetguy () gmail com> wrote:

Thanks for your reaction but i'm still not understanding the criteria on wich snort rules currently released on 
snort.org are written.
The purpose for this question is to know how to obtain the description of well-known intrusions in order to get a 
clearer definition of what is an 'intrusion'.

Please help me understand better.


2013/5/16 lists () packetmail net <lists () packetmail net>
On 05/16/2013 07:34 AM, Guy Martial Nkenne Tchassi wrote:
Then for each treat, there is a
sort of predefined set of actions that can be undertaken to eliminate the
threats.

The 'References' section of the individual signatures are a good place to apply
some context around the particular signature and potential remediation options.
 That being said, the references are not comprehensive nor are they a road-map
to full remediation.  I'm unaware of any database that provides a mapping of
snort signatures to incident severity to remediation/mitigation methods.  As I
understand it this task is the responsibility of the IDS analyst and is actually
one of the core roles I believe an analyst should be capable of performing.
Remediation options and mitigation approaches will also vary based on
organizational risk assessment, LOB impact, etc.

Should such an undertaking occur to develop such a data warehouse I see it is
daunting with a high propensity to be incomplete and unable to address the niche
needs of each organization.

Cheers,
Nathan

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]