[Snort-users] Reliability of signatures

Michael Scheidell michael.scheidell at ...8144...
Fri Feb 4 10:36:25 EST 2011


On 2/4/11 10:23 AM, Martin Roesch wrote:
> I like that idea too.  It'd make a lot of sense to integrate it into
> snort.org - in fact there's probably a lot of data about Snort
> detection performance, config options and rule quality we could put up
> there.  Communication favors the defender...
>
> Marty
>
(greets marty, long time no hear..)

We have thought of something like this also.
some type of 'CF' (confidence factor), users can enable/disable 
(oinkmaster,pulled pork, snort.conf module) based on CF and company policy.

Example:  any rule with a CF of 100 (10?) how granular do you want to 
get?) would mean that 100% of the time, this rule does NOT FP!

if an inline/block/drop/ (fwsam) rule, it would always block, if in 
detection mode, always alert.

CF rule of 1 (1%) would almost NEVER block;/alert.

you could have different policies for block, alert.

say, maybe, block on everything with a CF of >90%, alert on anything 
with a CF > 50%.




-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/2399ffe2/attachment.html>


More information about the Snort-users mailing list