[unisog] loose IDS collaboration for .EDU's

Pascal Meunier pmeunier at cerias.purdue.edu
Thu Jul 25 22:14:51 GMT 2002

If you wish, you are welcome to use our web-accessible database to 
share signatures.  We just finished a new section just for that 


It is hierarchical in the sense that an exploit has signatures 
(describing what aspect of the exploit you are trying to detect) and 
each signature has IDS rules attached for various IDSes (the encoding 
of how to detect the signature, in the language of each IDS).  You 
may also upload captured packets that provide support for a signature 
(any sanitization must be done on your end, however).

Regardless of whether you use it, I am interested in the subject.  I 
don't currently run one in production, but I am planning to install 
one "soon" (with all the necessary permissions, of course).

Pascal Meunier
Purdue University

At 2:28 PM -0700 7/25/02, Jake F Harwood wrote:
>The Security group at Berkeley has recently setup a loose 
>collaboration project with a few security savvy departments on 
>campus to help address among other things the limitations of 
>signature based IDS in open-compute-environments.
>I have found my self drawing a lot from the list to help me come up 
>with signatures for snort, and also notice the parallel in attack 
>trends among other .EDU's.
>And wile I dont feel comfortable sharing my sensor config's with the 
>hole group, I would like to see if anyone who runs a snort for an 
>.EDU has an interest in also starting a loose collaboration in hopes 
>to produce and share signatures and attack treads.
>I hope to hear everyones thoughts on this.
>Jake F Harwood                         University of California, Berkeley
>System & Network Security              2484 Shattuck Avenue
>                                                Phone (510)643-8241
>                                                Cell  (510)390-2580
>"Who is this General Failure and why is he reading my hard drive?" -F

More information about the unisog mailing list