[Snort-users] Reliability of signatures

Fraser, Hugh hugh.fraser at ...15146...
Fri Feb 4 13:09:14 EST 2011

The discussion's got me thinking beyond my original question. What I've
asked for represents two views of the signature world; my local view,
and the community's view as a whole. Personally, I'd like to know what
the most important (as measured, perhaps, as the most hits) 20 or so
signatures in the past day, week, and month. I'd like to know trends,
since they're often good predictors of what the bad guys are up to,
leading to an idea of what I should be watching for. And I'd like to be
able to rate each of those top 20 things based upon their impact on my
environment. As Martin says, it's a manual thing. To me, this is a
simple application that takes the snort log files (or database records)
and does some statistical analysis, and a form to present the results
and allow me to rate the signatures. 

I'd then like to be able to submit this information somewhere, and
receive daily the same stats aggregated for the entire community,
perhaps embedded within my snort signature feed. In the form I use for
rating my private part of the world, I could also see results for the
community as well, again to give me a heads up about what's happening
from a higher altitude. This is what dshield does with network traffic,
and I'm sure they have some analysis going on in the background that
throttles multiple submissions and tosses statistically insignificant
results to ensure that the stats aren't easilly distorted by malicious

I'd certainly make reporting this part of our incident response process
here, and would likely check the information daily to stay current with
emerging trends. Add a link to a web site for a discussion area for the
current top hitters, and I'm in heaven.

-----Original Message-----
From: Martin Holste [mailto:mcholste at ...11827...] 
Sent: Friday, February 04, 2011 11:52 AM
To: Jason Wallace
Cc: snort-users at lists.sourceforge.net; Martin Roesch
Subject: Re: [Snort-users] Reliability of signatures

> 1) Isn't accuracy of rules in part reliant on how well the sensor is
Yep, each up/down vote would equal one grain of salt.

> 2) Isn't the determination of a legit hit vs. FP partially dependent 
> on the analysis skill?
Yep, see above.

> 3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev 
> bumps are often done to fix FP issues.
Yep, I would actually go with G:S:R along with the SHA1 of the

> 4) Wouldn't an open submission process/tool be vulnerable to malicious

> bad data submissions?
Yep.  You would have to put in a threshold for submissions of some sort
and see how it goes.  Worst-case, a captcha.

In my mind, this only works if each up/down vote is a manual action done
during the course of an investigation.  Basically, I want to know what
signatures were helpful to other IR teams during their investigations.
I want to be sure those rules are included in my ruleset.  Obviously,
all submissions would have to be anonymous.  IP's would be nice, but
then there's a chance someone could mess up src/dst IP and accidentally
de-anonymize themselves.

The modern datacenter depends on network connectivity to access
resources and provide services. The best practices for maximizing a
physical server's connectivity to a physical network are well understood
- see how these rules translate into the virtual world? 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list