[Snort-users] Reliability of signatures
wkitty42 at ...14940...
Fri Feb 4 19:50:49 EST 2011
On 2/4/2011 13:45, Martin Holste wrote:
>> Personally, I'd like to know what
>> the most important (as measured, perhaps, as the most hits)
> Ok, hang on--I'd actually say that you can get a pretty good idea of
> the most important signatures by sorting them in ascending order by
> hits. The higher the number of hits, the greater probability that
> each hit is an FP and the signature isn't helpful.
on the surface, i can't agree with this... in my environment, which has been
carefully tuned for my network(s), i see almost no false positives... almost
every rule alerted on is properly alerted on the contents of the network
packet(s) analyzed... the problem that i've found is that while a packet might
match the rule, the rule MSG is on the "scare" side of the fence such that all
traffic that matches the rule is classified incorrectly... while some traffic
might be classified correctly, the "FP" traffic is not even though it /does/
match the rule in question...
> Important caveats
> would be for the sigs that aren't alerting on "bad" traffic, but
> traffic that is usually good unless it's from a certain IP address
> (JAR files, exe files, etc.) or SCAN signatures. That nuance actually
> makes this kind of hard to do in a helpful way.
i think i see what you are saying and that i can agree with it ;)
> It's for this reason that I want the manual submissions, not based on logs.
+1.5 with a caveat that this means more manual labor for those who are already
stuffed to the gills if they want to contribute... i'm not sure, off the top of
my head, how this might be handled... especially in an environment where there
is no reporting participation capabilities in place :?
More information about the Snort-users