[Snort-users] [Emerging-Sigs] Reliability of signatures

Matt Olney molney at ...1935...
Thu Feb 10 10:04:50 EST 2011


And I would argue that "no iis" here isn't a valid FP.  The signature
performed correctly and notified you that a scan attempt was under way.  It
is up to the system admin to correctly suppress/disable/modify rules that do
not target his network.  In our view, a FP only occurs when network traffic
triggers an alert that is specifically NOT traffic that the rule was
intended to fire on.  The rules are application/server agnostic (some wiggle
room in this comment both currently and in the future) they are solely based
on the traffic on the wire.

On Thu, Feb 10, 2011 at 10:00 AM, Michael Scheidell <
michael.scheidell at ...8144...> wrote:

>
>
> On 2/10/11 9:55 AM, Matt Olney wrote:
>
>  Also, SPAM isn't an IDS issue, at
>
> ah, maybe I should have explained.  you missed the point.
>
> there needs to be a definition of FP vs MP for signatures for any of this
> to mean anything.
> one mans SPAM is another mans HAM,  one mans FP is another mans legit hit.
> would you BLOCK on FP #2? maybe not inline, but I sure would blacklist the
> ip.
>
> maybe in the 'human verified checkbox' you give them the ability to mark:
>
> [ ] FP:  signature too broad. matched legit traffic
> [ ] FP:  no IIS servers here,
>
> (just so we have something for them to check)
>
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> > *| *SECNAP Network Security Corporation
>
>    - Certified SNORT Integrator
>    - 2008-9 Hot Company Award Winner, World Executive Alliance
>    - Five-Star Partner Program 2009, VARBusiness
>    - Best in Email Security,2010: Network Products Guide
>    - King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
> ------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110210/52208dd2/attachment.html>


More information about the Snort-users mailing list