[Snort-users] Reliability of signatures

Jim Hranicky jfh at ...5250...
Fri Feb 4 10:03:32 EST 2011


On Fri, 4 Feb 2011 08:50:48 -0600
Martin Holste <mcholste at ...11827...> wrote:

> > The snort signatures have a priority associated with them, either in the
> > rule itself, or in the classification. Is there anywhere that the
> > reliability (ie. the chance of it not reporting a false positive) of the
> > signature is recorded?
> >
> 
> No.  There has been a lot of discussion regarding whether or not
> something like that would be helpful.  I think the short answer is
> that environments and preferences vary too widely to be able to
> effectively communicate a signature's fidelity.  I would also argue
> for those same reasons priority should not be suggested either and it
> should be deprecated.

Seems like there'd almost need to be a central place that various
entities could report their findings. I know we've got rules that we
rely on heavily and work very well for us, but other than mailing lists
there's no place to report our findings. 

Anyone want to volunteer ? Sounds trivial :-p

-- 
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida




More information about the Snort-users mailing list