[Snort-users] Reliability of signatures

Crusty Saint saintcrusty at ...11827...
Fri Feb 4 11:59:09 EST 2011


ehrm ... i'm not quite sure where this leads .... obviously .... so here i
go anyway

Being able to separate between protections that have and don't have known
false-rates directly from log entries (daq) is in itself practical, imho it
permits to work with a 'sketch or picture' for that specific environment
which is easier to adapt to.

Correct me if i'm wrong .... known FP/FN sid's vs known sid's with neither
FP/FN could allready by categorized as a first level of confidence.

Actually it does 'feel' that multiple levels-of-confidence could be better
then a single confidence level.

For now i only see Three  ( draftish )

1) FP/FN confidence level (Y/N)
2) Personal Confidence level ( Categories )
3) Community Confidence level ( Percentage )


Checkpoint's confidence levels are a nice way of doing things but then
again, who wants a sid that is 50% correct ? Better then nothing, agreed,
but when would one have to care for that percentage of doubt ? Which is a
big plus for snort as their sid's are open, one could actually verify what
is checked for.




2011/2/4 Michael Scheidell <michael.scheidell at ...8144...>

>  On 2/4/11 11:12 AM, Crusty Saint wrote:
>
> For now a flag for false-pos and one for false-neg would be nice to have.
>
> a SORTA OF A BAYSIAN sorta thing?
>
> fp's go to 'ham', not fp's go to 'spam'? :-)
>
> you poll the value (CF) confidence factor .
>
>
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> > *| *SECNAP Network Security Corporation
>
>    - Certified SNORT Integrator
>    - 2008-9 Hot Company Award Winner, World Executive Alliance
>    - Five-Star Partner Program 2009, VARBusiness
>    - Best in Email Security,2010: Network Products Guide
>    - King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
> ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/9413de5e/attachment.html>


More information about the Snort-users mailing list