[Snort-users] Reliability of signatures
jason.r.wallace at ...11827...
Fri Feb 4 11:38:04 EST 2011
Maybe I'm missing something here that everyone else sees, but I don't
see how this could produce any form of reliable data.
1) Isn't accuracy of rules in part reliant on how well the sensor is tuned?
2) Isn't the determination of a legit hit vs. FP partially dependent
on the analysis skill?
3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev
bumps are often done to fix FP issues.
4) Wouldn't an open submission process/tool be vulnerable to malicious
bad data submissions?
On Fri, Feb 4, 2011 at 11:17 AM, Joel Esler <jesler at ...1935...> wrote:
> On Fri, Feb 4, 2011 at 10:51 AM, Martin Holste <mcholste at ...11827...> wrote:
>> >> I like that idea too. It'd make a lot of sense to integrate it into
>> >> snort.org - in fact there's probably a lot of data about Snort
>> >> detection performance, config options and rule quality we could put up
>> >> there. Communication favors the defender...
>> Thanks, Marty. I'm all for free resources, but that would make this
>> project vendor-sponsored, which makes my spider senses tingle... I'd
>> feel better if a non-profit hosted, or at least a company that doesn't
>> sell signatures. Otherwise, it'd be like Starbucks sponsoring a
>> coffee rating site. Up-vote for Trenta!
> Vendor sponsored projects are okay I think, especially since we have the
> resources to donate to a project that is going to make everyone's detection
>> > I would think it would need to have some kind of automatic reporting
>> > method,
>> > perhaps with manual commenting?
>> > J
>> What do you mean by automatic? I'd think we'd want this to remain
>> manual, but as integrated into the analysis process as possible via
>> whatever GUI you're using. For SF products, a button built into the
>> GUI, and maybe something to click on in Snorby, et al.? And, of
>> course, there would need to be the manual vote page on the site. A
>> basic JSON API to receive submissions would do fine on the web side.
>> Actually, I could probably code this up this weekend if someone
>> volunteers a neutral hosting space. Will Jeff Atwood sue if we use
> What I was thinking was having a reputation (hit) count score from gid:sid
> and maybe from the IP involved, then allow people to comment on said results
> Using that information could build a high or low reputation score based upon
> actual results, allowing the ruleset to be better tuned and formed, allowing
> reduction of false positives or false negatives.
> Just thinking outloud (which is usually a bad habit)
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users