[Snort-users] Reliability of signatures

Martin Holste mcholste at ...11827...
Fri Feb 4 11:51:53 EST 2011


> 1) Isn't accuracy of rules in part reliant on how well the sensor is tuned?
>
Yep, each up/down vote would equal one grain of salt.

> 2) Isn't the determination of a legit hit vs. FP partially dependent
> on the analysis skill?
>
Yep, see above.

> 3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev
> bumps are often done to fix FP issues.
>
Yep, I would actually go with G:S:R along with the SHA1 of the signature.

> 4) Wouldn't an open submission process/tool be vulnerable to malicious
> bad data submissions?
>
Yep.  You would have to put in a threshold for submissions of some
sort and see how it goes.  Worst-case, a captcha.

In my mind, this only works if each up/down vote is a manual action
done during the course of an investigation.  Basically, I want to know
what signatures were helpful to other IR teams during their
investigations.  I want to be sure those rules are included in my
ruleset.  Obviously, all submissions would have to be anonymous.  IP's
would be nice, but then there's a chance someone could mess up src/dst
IP and accidentally de-anonymize themselves.




More information about the Snort-users mailing list