[Snort-users] Reliability of signatures

Martin Holste mcholste at ...11827...
Fri Feb 4 14:44:58 EST 2011

> I agree on the difference between just logging hits and having true FP and TP ratings. But even a false positive can be different on the same packet in different organizations. Many folks mark a hit a false positive because it's just not of interest, vs nt hitting on what it's supposed to be looking for.

Right, which is why this is voting.  If someone goes through the
effort of marking a sig a certain way, it means something to them, and
I'm interested in that.  I'm sure some people will accidentally mark a
sig a false positive because they didn't investigate it thoroughly.
I'm betting that there are more instances of people correctly
evaluating the signature than mistakes.  If you think that's wrong and
too naive, then we should probably scrap the whole idea.

> I don't see real good ways to make that distinction en mass, I certainly wouldn't want to have to mark events that way in addition to the usual handling of events.

Nobody "wants" to do this, but there is an incredible amount of value
for a small amount of community work.

> I think there is definitely value in just tracking raw hits. Few things off the top of my head:

Agree 100%.  I want to do both auto and manual reporting.

More information about the Snort-users mailing list