[Snort-users] Reliability of signatures

Fraser, Hugh hugh.fraser at ...15146...
Fri Feb 4 11:08:13 EST 2011


I count about 30,000 signatures in the feed I pull down. That's a big effort to categorize. So perhaps an initial pass using the classifications might give a reasonable starting point. I was thinking that further refinement effort could be driven by the signatures that are most active at any time, like the way SANS directs their efforts using dshield to identify what's most important. Over time, the most active signatures receive the most attention.

-----Original Message-----
From: Martin Holste [mailto:mcholste at ...11827...] 
Sent: Friday, February 04, 2011 10:52 AM
To: Joel Esler
Cc: Martin Roesch; snort-users at lists.sourceforge.net; Fraser, Hugh
Subject: Re: [Snort-users] Reliability of signatures

>> I like that idea too.  It'd make a lot of sense to integrate it into 
>> snort.org - in fact there's probably a lot of data about Snort 
>> detection performance, config options and rule quality we could put 
>> up there.  Communication favors the defender...
>>

Thanks, Marty.  I'm all for free resources, but that would make this project vendor-sponsored, which makes my spider senses tingle...  I'd feel better if a non-profit hosted, or at least a company that doesn't sell signatures.  Otherwise, it'd be like Starbucks sponsoring a coffee rating site.  Up-vote for Trenta!

>
> I would think it would need to have some kind of automatic reporting 
> method, perhaps with manual commenting?
> J

What do you mean by automatic?  I'd think we'd want this to remain manual, but as integrated into the analysis process as possible via whatever GUI you're using.  For SF products, a button built into the GUI, and maybe something to click on in Snorby, et al.?  And, of course, there would need to be the manual vote page on the site.  A basic JSON API to receive submissions would do fine on the web side.

Actually, I could probably code this up this weekend if someone volunteers a neutral hosting space.  Will Jeff Atwood sue if we use snortoverflow.com?






More information about the Snort-users mailing list