[Snort-users] Reliability of signatures

Martin Holste mcholste at ...11827...
Fri Feb 4 12:56:05 EST 2011


> Actually this discussion is helping.  It's letting us know what you are
> interested in.
>

Ok, cool.

So, here's my feedback to SF/ET regarding what will help, and I'll try
to summarize the above comments to be sure I have understood them:

1. Up/down vote per gid:sid:rev my analysts can click on at the tail
end of an investigation to indicate that something's been helpful with
a way to make a note of how it was helpful.
2. Dshield/sidreporter-style automated submissions so that you guys
can see the sigs that are flagging on all kinds of FP's right off the
bat and also to get a cross-section of what IP's are flagging alerts.
3. Up/down vote for category confidence on a given gid:sid:rev.
And, I'd personally add a fourth that I feel is very important:
4. Tag suggestion for a gid:sid:rev with corresponding up/down vote
for confidence.

I personally want to see 1 and 4 implemented ASAP, and they can be
started without retrofitting to all existing signatures.  Each datum
contributed is value added.




More information about the Snort-users mailing list