[Snort-users] [Emerging-Sigs] Reliability of signatures

Jim Hranicky jfh at ...5250...
Fri Feb 4 14:43:05 EST 2011


On Fri, 4 Feb 2011 14:01:05 -0500
Matthew Jonkman <jonkman at ...15020...> wrote:

> I agree on the difference between just logging hits and having true FP and TP ratings.
> But even a false positive can be different on the same packet in different
> organizations. Many folks mark a hit a false positive because it's just not of
> interest, vs nt hitting on what it's supposed to be looking for. 

I guess there'd need to be guidelines for what constitutes a false, like
"did the rule detect what it was intended to detect" . 

If you're not interested, ideally you wouldn't use and/or report on the
rule. 

Instead of a straight up/down vote, we could do this: 

  [ ] Works as intended     [ ] False Positive    [ ] False Negative

(I think others have said something similar in this threat)

Sometimes a rule is very useful but has a small number of falses. Something
95% effective at detecting say a Zeus infection is something I'd include
in my ruleset (hey, that's what I do now!)

While we're wildly throwing ideas out, it seems that including the payload 
could be useful for the rule author in tuning the sig whether false or
not. On the other hand, that would likely make for a complicated system,
so perhaps tuning could be left to the mailing lists. 

-- 
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida




More information about the Snort-users mailing list