[Snort-users] [Emerging-Sigs] Reliability of signatures
mstone+snort at ...10946...
Thu Feb 10 08:30:35 EST 2011
On Fri, Feb 04, 2011 at 02:01:05PM -0500, Matthew Jonkman wrote:
>I agree on the difference between just logging hits and having true FP and TP ratings. But even a false positive can be different on the same packet in different organizations. Many folks mark a hit a false positive because it's just not of interest, vs nt hitting on what it's supposed to be looking for.
Well, even that distincion isn't so clear. Does "what it's supposed to
be looking for" mean "the string the signature was written against" or
"the malware the signature was written against"?
More information about the Snort-users