[Snort-users] Reliability of signatures

Jason Wallace jason.r.wallace at ...11827...
Fri Feb 4 13:53:42 EST 2011

threshold/event_filter statements will fudge that up too...

On Fri, Feb 4, 2011 at 1:45 PM, Martin Holste <mcholste at ...11827...> wrote:
>> Personally, I'd like to know what
>> the most important (as measured, perhaps, as the most hits)
> Ok, hang on--I'd actually say that you can get a pretty good idea of
> the most important signatures by sorting them in ascending order by
> hits.  The higher the number of hits, the greater probability that
> each hit is an FP and the signature isn't helpful.  Important caveats
> would be for the sigs that aren't alerting on "bad" traffic, but
> traffic that is usually good unless it's from a certain IP address
> (JAR files, exe files, etc.) or SCAN signatures.  That nuance actually
> makes this kind of hard to do in a helpful way.
> It's for this reason that I want the manual submissions, not based on logs.

More information about the Snort-users mailing list