Please give me any feedback on its utility, features, and of course bugs (it is _very_ beta after all).
June 13, 2000
Snort (or any IDS) for that matter is only useful to the degree that it has the latest signatures for possible exploits. There are two great repositories for Snort rules:
When a rule is determined to be non-applicable, two actions can be taken. A simple approach is to take the stance that the potential exploit is a non-issue because it is targeted at a non-existent service (i.e. you are not vulnerable). Thus, non-applicable rules can be discarded from the rules list. However, for the more paranoid, it is valuable to know _all_ the attacks which are being attempted against your network. Therefore, snortrules can also merely change the text of the particular alert to indicate that the rule was triggered but does not apply.
The obvious caveat and possible flaw with such as scheme deals with "Trojan/Backdoor"-like programs which might be installed on client machines. For example, you scan the network and parse the rules file. A static determination of the what rules are applicable was made. After doing so, rogue server-software (e.g. BO, NetBus, trin00) gets loaded on one of your boxes. So technically, since this rogue server was not present prior to the scan, snortrules had marked as non-applicable that particular rule used to detect this software. This is a bad thing ... but will I really miss the attack? Well not really. After all the communication will probably be bi-directional. You can catch the illicit server with a rule about its communications with a client. The other moral of the story is run snortrules often to constantly keep your signatures fresh. Stay tuned for more automated ways of including customized rules directly into Snort! They should make this problem a non-issue.