[Snort-users] Reliability of signatures

waldo kitty wkitty42 at ...14940...
Fri Feb 4 19:34:58 EST 2011


On 2/4/2011 09:50, Martin Holste wrote:
> For instance, the signature "CHAT MSN
> messenger http link transmission attempt" is classified as Trojan
> activity.  Sure, links in an MSN message can point to malware, but I
> hardly think that every MSN message with a link in it should be
> classified as "Trojan activity."  This is not good intel.

agreed which is why i questioned, on another list, the verbiage used in the 
snort MSG and classification portion of the rules... in the case that i 
questioned, the priority was the same for the classification that fit better to 
the rules... the "relaxed" MSG and classification text would not raise hackles 
as much as they currently do... the case in question was much the same as you 
depict... some traffic that fit a certain rule was classed as "trojan activity" 
when it was not and only matched the rule in question...

while i agree that the tags can help in these cases, i'd much rather see the 
classifications of rules better conform to what they are truly detecting... an 
example is RBN rules... not all traffic from RBN related addresses is trojan or 
bad traffic... reclassifying those rules to indicate /possible/ bad traffic is 
better than what is currently in place...

the next question is if this is going to be done... i don't specifically recall 
any responses to my post in that other thread on this topic, though :?




More information about the Snort-users mailing list