[Snort-users] Reliability of signatures
molney at ...1935...
Fri Feb 4 09:58:28 EST 2011
To some extent the metadata field addresses some of that. If we put a rule
only in "security-ips", then there is something that gives us pause to
putting it in the more general "balanced-ips". This can be a number of
issues, including false-positive, performance or simply a small footprint of
We have talked about expanding our use of the metadata field to include a
wide variety of rule tags, including reliability. This is not a short-term
effort, but it is on our radar.
On Fri, Feb 4, 2011 at 9:50 AM, Martin Holste <mcholste at ...11827...> wrote:
> > The snort signatures have a priority associated with them, either in the
> > rule itself, or in the classification. Is there anywhere that the
> > reliability (ie. the chance of it not reporting a false positive) of the
> > signature is recorded?
> No. There has been a lot of discussion regarding whether or not
> something like that would be helpful. I think the short answer is
> that environments and preferences vary too widely to be able to
> effectively communicate a signature's fidelity. I would also argue
> for those same reasons priority should not be suggested either and it
> should be deprecated.
> I ignore both priority and classification for signatures as they are
> terribly broken right now. For instance, the signature "CHAT MSN
> messenger http link transmission attempt" is classified as Trojan
> activity. Sure, links in an MSN message can point to malware, but I
> hardly think that every MSN message with a link in it should be
> classified as "Trojan activity." This is not good intel.
> An effort is underway to redo the classification system, which is very
> welcome. However, I believe the new classification system will be
> almost as unhelpful because though more specific, it only allows for a
> signature to be placed in one category. I favor a tagging system in
> which a signature can have many tags applied to it for a comprehensive
> representation of the signature author's intent.
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users