[Snort-users] Reliability of signatures

Crusty Saint saintcrusty at ...11827...
Fri Feb 4 12:12:31 EST 2011


Did someone ever consider an european-fork for snort ? US and EU share a lot
but i'm not sure they share IT infrastructure trust.



2011/2/4 Matthew Jonkman <jonkman at ...15020...>

> I agree on the vendor being the keeper of the data. And I'd volunteer ET
> for the task, but any resources we'd muster would be off the proceeds of ET
> Pro sales, so we're in the same category really.
>
> We started something like that a while ago in sidreporter, but didn't get
> it far off the ground unfortunately.
>
> If we do this in another venue we also need to do something to correlate
> sids, because the ET Pro reports would be for similar vulns or issues, but
> different sids. So we'd really need to either correlate (major PITA), or run
> side by side separate databases.
>
> Then there are the issues of not disclosing sensitive data in automated
> reporting. I think we've done a good job there in sidreporter, but it's
> still a concern for most companies.
>
> So a few thoughts:
>
> A joint Sourcefire-ET Pro supported database run by community members?
>
> OISF maybe take it in as a project and volunteers run it? (could secure
> gov't funding for something like that in the long term if it were in a
> non-profit)
>
> ET and SF both stand up their own? But maybe share a reporting mechanism?
>
> I dunno. Lots of possibilities, and a lot of very good data we could
> generate in a mostly automated way for signature confidence...
>
> Thoughts?
>
> Matt
>
>
>
> On Feb 4, 2011, at 11:17 AM, Joel Esler wrote:
>
> On Fri, Feb 4, 2011 at 10:51 AM, Martin Holste <mcholste at ...11827...> wrote:
>
>> >> I like that idea too.  It'd make a lot of sense to integrate it into
>> >> snort.org - in fact there's probably a lot of data about Snort
>> >> detection performance, config options and rule quality we could put up
>> >> there.  Communication favors the defender...
>> >>
>>
>> Thanks, Marty.  I'm all for free resources, but that would make this
>> project vendor-sponsored, which makes my spider senses tingle...  I'd
>> feel better if a non-profit hosted, or at least a company that doesn't
>> sell signatures.  Otherwise, it'd be like Starbucks sponsoring a
>> coffee rating site.  Up-vote for Trenta!
>>
>> Vendor sponsored projects are okay I think, especially since we have the
> resources to donate to a project that is going to make everyone's detection
> better.
>
>
>
>> > I would think it would need to have some kind of automatic reporting
>> method,
>> > perhaps with manual commenting?
>> > J
>>
>> What do you mean by automatic?  I'd think we'd want this to remain
>> manual, but as integrated into the analysis process as possible via
>> whatever GUI you're using.  For SF products, a button built into the
>> GUI, and maybe something to click on in Snorby, et al.?  And, of
>> course, there would need to be the manual vote page on the site.  A
>> basic JSON API to receive submissions would do fine on the web side.
>>
>> Actually, I could probably code this up this weekend if someone
>> volunteers a neutral hosting space.  Will Jeff Atwood sue if we use
>> snortoverflow.com?
>>
>
>
> What I was thinking was having a reputation (hit) count score from gid:sid
> and maybe from the IP involved, then allow people to comment on said results
> manually.
>
> Using that information could build a high or low reputation score based
> upon actual results, allowing the ruleset to be better tuned and formed,
> allowing reduction of false positives or false negatives.
>
> Just thinking outloud (which is usually a bad habit)
>
> Joel
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
>
> http://p.sf.net/sfu/oracle-sfdevnlfb_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/d7b8bbd6/attachment.html>


More information about the Snort-users mailing list