[Snort-users] Reliability of signatures

Jason Wallace jason.r.wallace at ...11827...
Fri Feb 4 11:38:04 EST 2011

Maybe I'm missing something here that everyone else sees, but I don't
see how this could produce any form of reliable data.

1) Isn't accuracy of rules in part reliant on how well the sensor is tuned?

2) Isn't the determination of a legit hit vs. FP partially dependent
on the analysis skill?

3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev
bumps are often done to fix FP issues.

4) Wouldn't an open submission process/tool be vulnerable to malicious
bad data submissions?


On Fri, Feb 4, 2011 at 11:17 AM, Joel Esler <jesler at ...1935...> wrote:
> On Fri, Feb 4, 2011 at 10:51 AM, Martin Holste <mcholste at ...11827...> wrote:
>> >> I like that idea too.  It'd make a lot of sense to integrate it into
>> >> snort.org - in fact there's probably a lot of data about Snort
>> >> detection performance, config options and rule quality we could put up
>> >> there.  Communication favors the defender...
>> >>
>> Thanks, Marty.  I'm all for free resources, but that would make this
>> project vendor-sponsored, which makes my spider senses tingle...  I'd
>> feel better if a non-profit hosted, or at least a company that doesn't
>> sell signatures.  Otherwise, it'd be like Starbucks sponsoring a
>> coffee rating site.  Up-vote for Trenta!
> Vendor sponsored projects are okay I think, especially since we have the
> resources to donate to a project that is going to make everyone's detection
> better.
>> > I would think it would need to have some kind of automatic reporting
>> > method,
>> > perhaps with manual commenting?
>> > J
>> What do you mean by automatic?  I'd think we'd want this to remain
>> manual, but as integrated into the analysis process as possible via
>> whatever GUI you're using.  For SF products, a button built into the
>> GUI, and maybe something to click on in Snorby, et al.?  And, of
>> course, there would need to be the manual vote page on the site.  A
>> basic JSON API to receive submissions would do fine on the web side.
>> Actually, I could probably code this up this weekend if someone
>> volunteers a neutral hosting space.  Will Jeff Atwood sue if we use
>> snortoverflow.com?
> What I was thinking was having a reputation (hit) count score from gid:sid
> and maybe from the IP involved, then allow people to comment on said results
> manually.
> Using that information could build a high or low reputation score based upon
> actual results, allowing the ruleset to be better tuned and formed, allowing
> reduction of false positives or false negatives.
> Just thinking outloud (which is usually a bad habit)
> Joel
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list