[Snort-users] Reliability of signatures

Matt Olney molney at ...1935...
Fri Feb 4 09:58:28 EST 2011


To some extent the metadata field addresses some of that.  If we put a rule
only in "security-ips", then there is something that gives us pause to
putting it in the more general "balanced-ips".  This can be a number of
issues, including false-positive, performance or simply a small footprint of
affected users.

We have talked about expanding our use of the metadata field to include a
wide variety of rule tags, including reliability.  This is not a short-term
effort, but it is on our radar.

Matt

On Fri, Feb 4, 2011 at 9:50 AM, Martin Holste <mcholste at ...11827...> wrote:

> > The snort signatures have a priority associated with them, either in the
> > rule itself, or in the classification. Is there anywhere that the
> > reliability (ie. the chance of it not reporting a false positive) of the
> > signature is recorded?
> >
>
> No.  There has been a lot of discussion regarding whether or not
> something like that would be helpful.  I think the short answer is
> that environments and preferences vary too widely to be able to
> effectively communicate a signature's fidelity.  I would also argue
> for those same reasons priority should not be suggested either and it
> should be deprecated.
>
> I ignore both priority and classification for signatures as they are
> terribly broken right now.  For instance, the signature "CHAT MSN
> messenger http link transmission attempt" is classified as Trojan
> activity.  Sure, links in an MSN message can point to malware, but I
> hardly think that every MSN message with a link in it should be
> classified as "Trojan activity."  This is not good intel.
>
> An effort is underway to redo the classification system, which is very
> welcome.  However, I believe the new classification system will be
> almost as unhelpful because though more specific, it only allows for a
> signature to be placed in one category.  I favor a tagging system in
> which a signature can have many tags applied to it for a comprehensive
> representation of the signature author's intent.
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/8a5ad0aa/attachment.html>


More information about the Snort-users mailing list