[Snort-users] Reliability of signatures

Joel Esler jesler at ...1935...
Fri Feb 4 11:17:22 EST 2011


On Fri, Feb 4, 2011 at 10:51 AM, Martin Holste <mcholste at ...11827...> wrote:

> >> I like that idea too.  It'd make a lot of sense to integrate it into
> >> snort.org - in fact there's probably a lot of data about Snort
> >> detection performance, config options and rule quality we could put up
> >> there.  Communication favors the defender...
> >>
>
> Thanks, Marty.  I'm all for free resources, but that would make this
> project vendor-sponsored, which makes my spider senses tingle...  I'd
> feel better if a non-profit hosted, or at least a company that doesn't
> sell signatures.  Otherwise, it'd be like Starbucks sponsoring a
> coffee rating site.  Up-vote for Trenta!
>
> Vendor sponsored projects are okay I think, especially since we have the
resources to donate to a project that is going to make everyone's detection
better.



> > I would think it would need to have some kind of automatic reporting
> method,
> > perhaps with manual commenting?
> > J
>
> What do you mean by automatic?  I'd think we'd want this to remain
> manual, but as integrated into the analysis process as possible via
> whatever GUI you're using.  For SF products, a button built into the
> GUI, and maybe something to click on in Snorby, et al.?  And, of
> course, there would need to be the manual vote page on the site.  A
> basic JSON API to receive submissions would do fine on the web side.
>
> Actually, I could probably code this up this weekend if someone
> volunteers a neutral hosting space.  Will Jeff Atwood sue if we use
> snortoverflow.com?
>


What I was thinking was having a reputation (hit) count score from gid:sid
and maybe from the IP involved, then allow people to comment on said results
manually.

Using that information could build a high or low reputation score based upon
actual results, allowing the ruleset to be better tuned and formed, allowing
reduction of false positives or false negatives.

Just thinking outloud (which is usually a bad habit)

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/b8f41f9d/attachment.html>


More information about the Snort-users mailing list