[Snort-users] Reliability of signatures

Martin Holste mcholste at ...11827...
Fri Feb 4 11:25:09 EST 2011


> I count about 30,000 signatures in the feed I pull down. That's a big effort to categorize. So perhaps an initial pass using the classifications might give a reasonable starting point.
>

If all sigs start neutral, then each sig can be categorized as people
get around to it.  It seems like a daunting task, but there is a
linear benefit to each signature categorized/rated, so every little
bit helps.

>I was thinking that further refinement effort could be driven by the signatures that are most active at any time, like the way SANS directs their efforts using dshield to identify what's most important. Over time, the most active signatures receive the most attention.
>

That could work, but I wonder if enough people use the default
configuration that it would overpower folks who are tuning.  Might be
worth a shot, though.




More information about the Snort-users mailing list