[Snort-users] Reliability of signatures

Matthew Jonkman jonkman at ...15020...
Fri Feb 4 12:12:58 EST 2011


BTW: The spec we used in sidreporter. Works well, simple, easy to generate:

http://doc.emergingthreats.net/bin/view/Main/SidReporter

Open for use in whatever project whoever sets up.

Matt

On Feb 4, 2011, at 12:06 PM, Matthew Jonkman wrote:

> I agree on the vendor being the keeper of the data. And I'd volunteer ET for the task, but any resources we'd muster would be off the proceeds of ET Pro sales, so we're in the same category really.
> 
> We started something like that a while ago in sidreporter, but didn't get it far off the ground unfortunately.
> 
> If we do this in another venue we also need to do something to correlate sids, because the ET Pro reports would be for similar vulns or issues, but different sids. So we'd really need to either correlate (major PITA), or run side by side separate databases. 
> 
> Then there are the issues of not disclosing sensitive data in automated reporting. I think we've done a good job there in sidreporter, but it's still a concern for most companies. 
> 
> So a few thoughts:
> 
> A joint Sourcefire-ET Pro supported database run by community members?
> 
> OISF maybe take it in as a project and volunteers run it? (could secure gov't funding for something like that in the long term if it were in a non-profit)
> 
> ET and SF both stand up their own? But maybe share a reporting mechanism?
> 
> I dunno. Lots of possibilities, and a lot of very good data we could generate in a mostly automated way for signature confidence...
> 
> Thoughts?
> 
> Matt
> 
> 
> 
> On Feb 4, 2011, at 11:17 AM, Joel Esler wrote:
> 
>> On Fri, Feb 4, 2011 at 10:51 AM, Martin Holste <mcholste at ...11827...> wrote:
>> >> I like that idea too.  It'd make a lot of sense to integrate it into
>> >> snort.org - in fact there's probably a lot of data about Snort
>> >> detection performance, config options and rule quality we could put up
>> >> there.  Communication favors the defender...
>> >>
>> 
>> Thanks, Marty.  I'm all for free resources, but that would make this
>> project vendor-sponsored, which makes my spider senses tingle...  I'd
>> feel better if a non-profit hosted, or at least a company that doesn't
>> sell signatures.  Otherwise, it'd be like Starbucks sponsoring a
>> coffee rating site.  Up-vote for Trenta!
>> 
>> Vendor sponsored projects are okay I think, especially since we have the resources to donate to a project that is going to make everyone's detection better.
>> 
>>  
>> > I would think it would need to have some kind of automatic reporting method,
>> > perhaps with manual commenting?
>> > J
>> 
>> What do you mean by automatic?  I'd think we'd want this to remain
>> manual, but as integrated into the analysis process as possible via
>> whatever GUI you're using.  For SF products, a button built into the
>> GUI, and maybe something to click on in Snorby, et al.?  And, of
>> course, there would need to be the manual vote page on the site.  A
>> basic JSON API to receive submissions would do fine on the web side.
>> 
>> Actually, I could probably code this up this weekend if someone
>> volunteers a neutral hosting space.  Will Jeff Atwood sue if we use
>> snortoverflow.com?
>> 
>> 
>> What I was thinking was having a reputation (hit) count score from gid:sid and maybe from the IP involved, then allow people to comment on said results manually.
>> 
>> Using that information could build a high or low reputation score based upon actual results, allowing the ruleset to be better tuned and formed, allowing reduction of false positives or false negatives.
>> 
>> Just thinking outloud (which is usually a bad habit)
>> 
>> Joel
>> ------------------------------------------------------------------------------
>> The modern datacenter depends on network connectivity to access resources
>> and provide services. The best practices for maximizing a physical server's
>> connectivity to a physical network are well understood - see how these
>> rules translate into the virtual world? 
>> http://p.sf.net/sfu/oracle-sfdevnlfb_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world? 
> http://p.sf.net/sfu/oracle-sfdevnlfb_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/5c893be5/attachment.html>


More information about the Snort-users mailing list