[Snort-users] Reliability of signatures

Matt Olney molney at ...1935...
Fri Feb 4 10:12:49 EST 2011


For VRT rules you can report FPs here:
http://www.snort.org/snort-rules/submit-a-false-positive

<http://www.snort.org/snort-rules/submit-a-false-positive>or you can drop an
email to research at ...1935...

Matt

On Fri, Feb 4, 2011 at 10:03 AM, Jim Hranicky <jfh at ...5250...> wrote:

> On Fri, 4 Feb 2011 08:50:48 -0600
> Martin Holste <mcholste at ...11827...> wrote:
>
> > > The snort signatures have a priority associated with them, either in
> the
> > > rule itself, or in the classification. Is there anywhere that the
> > > reliability (ie. the chance of it not reporting a false positive) of
> the
> > > signature is recorded?
> > >
> >
> > No.  There has been a lot of discussion regarding whether or not
> > something like that would be helpful.  I think the short answer is
> > that environments and preferences vary too widely to be able to
> > effectively communicate a signature's fidelity.  I would also argue
> > for those same reasons priority should not be suggested either and it
> > should be deprecated.
>
> Seems like there'd almost need to be a central place that various
> entities could report their findings. I know we've got rules that we
> rely on heavily and work very well for us, but other than mailing lists
> there's no place to report our findings.
>
> Anyone want to volunteer ? Sounds trivial :-p
>
> --
> Jim Hranicky
> IT Security Engineer
> Office of Information Security and Compliance
> University of Florida
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/ccfb2788/attachment.html>


More information about the Snort-users mailing list