[Snort-users] Reliability of signatures
beenph at ...11827...
Fri Feb 4 14:03:35 EST 2011
On Fri, Feb 4, 2011 at 1:53 PM, Jason Wallace <jason.r.wallace at ...11827...> wrote:
> threshold/event_filter statements will fudge that up too...
> On Fri, Feb 4, 2011 at 1:45 PM, Martin Holste <mcholste at ...11827...> wrote:
>>> Personally, I'd like to know what
>>> the most important (as measured, perhaps, as the most hits)
>> Ok, hang on--I'd actually say that you can get a pretty good idea of
>> the most important signatures by sorting them in ascending order by
>> hits. The higher the number of hits, the greater probability that
>> each hit is an FP and the signature isn't helpful. Important caveats
>> would be for the sigs that aren't alerting on "bad" traffic, but
>> traffic that is usually good unless it's from a certain IP address
>> (JAR files, exe files, etc.) or SCAN signatures. That nuance actually
>> makes this kind of hard to do in a helpful way.
>> It's for this reason that I want the manual submissions, not based on logs.
> I think there's an in YOUR somewhere.
A typo, shit happens, english is not my first language.
This aside if you can't create multiple rule set instances for the
same traffic and make clear distinction on
rule importances for each instance, you wont be able to acheive
somethig valuable at the end.
If you are still managing your clients rule with something like
pullthepork or by hand you might also have an issue.
Opensource UI have been lacking for years on "sensor" management, rule
context like thresholding and suppression
(for individual instance or multiple instances or even system wide).
Some of em even ignore revision.
All of this point out to the usage you make of the public available
data and or even subscribed data.
All the changes to a submission system will still be context relevant
and might not apply to you and you will
end up having people who will not try to understand what they actually
see but will basicly rely on that
to apply automatic rules tunning and the problem will still be there
for the "unknown" proportion of people
who do no take time to tune and manage their rule set.
More information about the Snort-users