[Snort-users] [Emerging-Sigs] Reliability of signatures

Michael Stone mstone+snort at ...10946...
Thu Feb 10 08:30:35 EST 2011


On Fri, Feb 04, 2011 at 02:01:05PM -0500, Matthew Jonkman wrote:
>I agree on the difference between just logging hits and having true FP and TP ratings. But even a false positive can be different on the same packet in different organizations. Many folks mark a hit a false positive because it's just not of interest, vs nt hitting on what it's supposed to be looking for.

Well, even that distincion isn't so clear. Does "what it's supposed to 
be looking for" mean "the string the signature was written against" or 
"the malware the signature was written against"? 

Mike Stone




More information about the Snort-users mailing list