Wednesday, June 15, 2005

Bleeding Snort Innovations

Several interesting projects are taking shape at Bleeding Snort, described as "the aggregation point for Snort signatures and research." The spyware Blackhole DNS project collects domain names identified with spyware and provides a hosts file pointing to localhost for each. Matt Jonkman now wants to extend the idea to create the Spyware Listening Post.

Rather than have a domain like 1000funnyvideos.com point to localhost (127.0.0.1), the Spyware Listening Post proposes resolving the host to an IP address operated by the SLP project. The SLP will measure the requests to gather intelligence on spyware. This is an interesting idea and I look forward to seeing how it develops.

Bleeding Snort also houses the Snort Test Suite. Nothing appears to have been released, but it would be cool to see them coordinate with Turbo Snort Rules.

Finally, I found a funny thread in the bleeding-sigs mailing list. Essentially a commercial vendor complained about a change in the Bleeding Snort rule set:

"These new SSH signatures brought down all of our customer's Snort installations because that SSH_PORTS variable is not in the default snort.conf file."

Why did that happen?

"The AWCC [the vendor's product] now downloads signatures from bleeding-edge automatically, I'm sure there are other tools that do the same."

Good grief -- what a poor design decision. A commercial vendor retrieves and runs rules on a customer-deployed system "automatically?" How difficult is it to perform even a basic test of the rules to ensure they don't break something, before deploying on production boxes? That's embarrassing. Consider this minor breakage a lesson in good engineering, as Mike Poor confirms.

1 comment:

Scott said...

The commerical vendor later claimed it was onyl one customer who was doing this (customer's being possesive, not plural was his argument). Still, sounds fishy to me.