[Snort-users] Reliability of signatures

beenph beenph at ...11827...
Fri Feb 4 13:33:07 EST 2011


Honestly, i think that if you provide a service that is based on free
ressource or paid subscription you should
give your self a process to filter the detection input you receive  and be able
to adapt it for your setup.


If your analyst can't do it there is probably an in your process somewhere.


On Fri, Feb 4, 2011 at 12:56 PM, Martin Holste <mcholste at ...11827...> wrote:
>> Actually this discussion is helping.  It's letting us know what you are
>> interested in.
>>
>
> Ok, cool.
>
> So, here's my feedback to SF/ET regarding what will help, and I'll try
> to summarize the above comments to be sure I have understood them:
>
> 1. Up/down vote per gid:sid:rev my analysts can click on at the tail
> end of an investigation to indicate that something's been helpful with
> a way to make a note of how it was helpful.
> 2. Dshield/sidreporter-style automated submissions so that you guys
> can see the sigs that are flagging on all kinds of FP's right off the
> bat and also to get a cross-section of what IP's are flagging alerts.
> 3. Up/down vote for category confidence on a given gid:sid:rev.
> And, I'd personally add a fourth that I feel is very important:
> 4. Tag suggestion for a gid:sid:rev with corresponding up/down vote
> for confidence.
>
> I personally want to see 1 and 4 implemented ASAP, and they can be
> started without retrofitting to all existing signatures.  Each datum
> contributed is value added.
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list