mister_paul_717
Sep 16, 2009Nimbostratus
managing signatures
Hey everyone,
I'm trying to find a way to manage our signatures better, because the way I'm currently trying to do it seems wrong.
Background: We currently have 2 signature sets we use - Generic Detection Signatures & a custom one that filters for our OS, App Server, Web Server, etc. Also, this is a web site that gets millions of requests a day.
Here's the basic problem I'm trying to resolve: We have a bunch of signatures that are blocking, and a handful that are still staging. I would like to break my signatures into 3 sets: ones being blocked that I'm confident are fine (and don't want to show up as I work with the signatures that are in learning mode), ones being blocked, but still in learning mode b/c I want to monitor them closely, and ones that I've disabled and never want to see or hear from again. Over time, I want to be able to migrate rules from the learning group into the blocking or disabled groups.
I can manually go through and create these groups, but it is painful. But that's okay. My real concern is how will I effectively move signatures from the learning group to a different group when I know what I want to do with it. Furthermore, as new signatures are created, and added to one of the Systems groups, how will I know about them and efficiently get them into the right group.
So - I'm curious how others are managing the signatures, particularly moving them in and out of staging and addressing new ones that arrive with a signature update.
Thanks,
Paul