[Snort-users] Reliability of signatures
michael.scheidell at ...8144...
Fri Feb 4 10:36:25 EST 2011
On 2/4/11 10:23 AM, Martin Roesch wrote:
> I like that idea too. It'd make a lot of sense to integrate it into
> snort.org - in fact there's probably a lot of data about Snort
> detection performance, config options and rule quality we could put up
> there. Communication favors the defender...
(greets marty, long time no hear..)
We have thought of something like this also.
some type of 'CF' (confidence factor), users can enable/disable
(oinkmaster,pulled pork, snort.conf module) based on CF and company policy.
Example: any rule with a CF of 100 (10?) how granular do you want to
get?) would mean that 100% of the time, this rule does NOT FP!
if an inline/block/drop/ (fwsam) rule, it would always block, if in
detection mode, always alert.
CF rule of 1 (1%) would almost NEVER block;/alert.
you could have different policies for block, alert.
say, maybe, block on everything with a CF of >90%, alert on anything
with a CF > 50%.
Michael Scheidell, CTO
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users