[Snort-users] Reliability of signatures
wkitty42 at ...14940...
Fri Feb 4 19:34:58 EST 2011
On 2/4/2011 09:50, Martin Holste wrote:
> For instance, the signature "CHAT MSN
> messenger http link transmission attempt" is classified as Trojan
> activity. Sure, links in an MSN message can point to malware, but I
> hardly think that every MSN message with a link in it should be
> classified as "Trojan activity." This is not good intel.
agreed which is why i questioned, on another list, the verbiage used in the
snort MSG and classification portion of the rules... in the case that i
questioned, the priority was the same for the classification that fit better to
the rules... the "relaxed" MSG and classification text would not raise hackles
as much as they currently do... the case in question was much the same as you
depict... some traffic that fit a certain rule was classed as "trojan activity"
when it was not and only matched the rule in question...
while i agree that the tags can help in these cases, i'd much rather see the
classifications of rules better conform to what they are truly detecting... an
example is RBN rules... not all traffic from RBN related addresses is trojan or
bad traffic... reclassifying those rules to indicate /possible/ bad traffic is
better than what is currently in place...
the next question is if this is going to be done... i don't specifically recall
any responses to my post in that other thread on this topic, though :?
More information about the Snort-users