Wednesday, January 9, 2019

Snort.org and the Documentation Saga: A Survey

Cisco users with Firepower Threat Defense (FTD) on an Adaptive Security Appliance (ASA) are running SNORTⓇ, our open-source intrusion protection system, under the hood, along with a suite of other Talos-fueled security processes. Snort monitors traffic by sniffing packets and comparing their contents against tens of thousands of rules written to find all kinds of malware and other malicious activity. Our analysts are constantly creating new rules to cover vulnerabilities in a wide range of products. The highly active open-source community around Snort adds rules for general and niche network configurations, as well.

When Snort sends up an alert — whether that shows in the FTD console or in a command prompt — the user takes over to provide that human element required to research the alert, find out how their network might be affected and respond appropriately.

The first resource is the alert, which comes with a brief message, followed by the documentation for the rule that triggered the alert. FTD users can currently see the alert, rule, and any documentation for that SID without leaving the console. Self-compilers need to go the extra step to Snort.org to see the rule. Soon, FTD customers will be directed Snort.org as well, as the end-all repository of data and documentation on Snort.

So What’s the Problem? 


Users on either the FTD or open-source side may have noticed that the rule documentation is often sparse. At the rate new rules come out, putting out quality documentation is a challenge. This stems from a lack of context — users need the context of why this alert appeared and how it affects them, while analysts don’t always know the context of the users’ needs, their level of understanding, or particular network configurations.

So we’re polling the Snort community to find out what you need. What you really need, not what we think you do, or what is easiest for us to provide. We want changes to have an impact on users in order to improve their experience and the quality of Snort.

To facilitate this, we’re sending out a survey to all users. Depending on how deep you want to go, the survey takes around five minutes to finish. We are also adding feedback options to Snort rule documentation pages. Let us know if a page was useful or not. If not, leave a note about what you came looking for and couldn't find. Perhaps we can add it, to better educate the community.

Our hope is that with the feedback we receive from the survey, our analysts can provide targeted information to communicate the most useful details on rule alerts. The more information we gather on customer frustrations, the better chance we have of finding ways to solve them to create a community and customer base with the right arsenal to overcome their security challenges.

Link to Survey: https://www.research.net/r/27CHJCH