[Snort-users] Reliability of signatures

Fraser, Hugh hugh.fraser at ...15146...
Fri Feb 4 10:41:10 EST 2011


I understand that the priority and classification alone aren't enough to
make a decision, but I use OSSIM as the decision making tool and
incorporate a lot of other sources of information (including a
commercial IDS/IPS) along with associated correlation rules to try to
make an intelligent decision about what's happening. What I'm looking
for is less the characterization, but more the "how sure are we this is
really what we think it is" to help with the calculation of risk. 

-----Original Message-----
From: Martin Holste [mailto:mcholste at ...11827...] 
Sent: Friday, February 04, 2011 9:51 AM
To: Fraser, Hugh
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Reliability of signatures

> The snort signatures have a priority associated with them, either in 
> the rule itself, or in the classification. Is there anywhere that the 
> reliability (ie. the chance of it not reporting a false positive) of 
> the signature is recorded?
>

No.  There has been a lot of discussion regarding whether or not
something like that would be helpful.  I think the short answer is that
environments and preferences vary too widely to be able to effectively
communicate a signature's fidelity.  I would also argue for those same
reasons priority should not be suggested either and it should be
deprecated.

I ignore both priority and classification for signatures as they are
terribly broken right now.  For instance, the signature "CHAT MSN
messenger http link transmission attempt" is classified as Trojan
activity.  Sure, links in an MSN message can point to malware, but I
hardly think that every MSN message with a link in it should be
classified as "Trojan activity."  This is not good intel.

An effort is underway to redo the classification system, which is very
welcome.  However, I believe the new classification system will be
almost as unhelpful because though more specific, it only allows for a
signature to be placed in one category.  I favor a tagging system in
which a signature can have many tags applied to it for a comprehensive
representation of the signature author's intent.






More information about the Snort-users mailing list