Folks, I would think that if there is sufficient interest in creating and maintaining such a repository, so that developers of intrusion detection systems can have high confidence that the information is correct and relatively complete, that you might consider formulating this as a project to propose to some funding source, especially if you also propose to provide the information in a "safe" way (perhaps on an offline subscription basis so you know who you are sending it to) to the intrusion detection developers (and perhaps also users), and you work with CERT or ASSIST or one of those clearinghouses who collects all this information anyway, and you formulate the results into rules that are suitable for direct inclusion into those systems. This would have the obvious benefit that the developers don't have to duplicate each others' work, and will mean that a user of an intrusion detection system doesn't have to be a expert in intrusion techniques or system vulnerabilities. As for normal behavior, Calvin Ko at UC Davis is putting together some rules that encode the normal expected behavior of privileged Unix programs so you can detect departures from those norms. Teresa ============== > Will you start this, maintain a listserv, or summurize on ids? I think it could be an adjunct to this list, but first things first. It must be determined that there is sufficient support for an undertaking like this. For one person it could easily be a full time job, but with a large group of persons (such as the members of this mailing list) contributing on an on-going basis someone might be able to manage it in their "spare time". @|:-) Second, if the support is there, then move on to questions of "how" it might be done. Thanks for your comments. Jim Truitt