[Snort-users] Reliability of signatures
mcholste at ...11827...
Fri Feb 4 11:51:53 EST 2011
> 1) Isn't accuracy of rules in part reliant on how well the sensor is tuned?
Yep, each up/down vote would equal one grain of salt.
> 2) Isn't the determination of a legit hit vs. FP partially dependent
> on the analysis skill?
Yep, see above.
> 3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev
> bumps are often done to fix FP issues.
Yep, I would actually go with G:S:R along with the SHA1 of the signature.
> 4) Wouldn't an open submission process/tool be vulnerable to malicious
> bad data submissions?
Yep. You would have to put in a threshold for submissions of some
sort and see how it goes. Worst-case, a captcha.
In my mind, this only works if each up/down vote is a manual action
done during the course of an investigation. Basically, I want to know
what signatures were helpful to other IR teams during their
investigations. I want to be sure those rules are included in my
ruleset. Obviously, all submissions would have to be anonymous. IP's
would be nice, but then there's a chance someone could mess up src/dst
IP and accidentally de-anonymize themselves.
More information about the Snort-users