[Snort-users] [Emerging-Sigs] Reliability of signatures

Michael Scheidell michael.scheidell at ...8144...
Thu Feb 10 10:07:18 EST 2011

On 2/10/11 10:04 AM, Matt Olney wrote:
> And I would argue that "no iis" here isn't a valid FP.  The signature 
> performed correctly and notified you that a scan attempt was under 
> way.  It is up to the system admin to correctly 
> suppress/disable/modify rules that do not target his network.  In our 
> view, a FP only occurs when network traffic triggers an alert that is 
> specifically NOT traffic that the rule was intended to fire on.  The 
> rules are application/server agnostic (some wiggle room in this 
> comment both currently and in the future) they are solely based on the 
> traffic on the wire.
and, again, the point being, you need to allow idiots to mark it a fp in 
a way that will not affect reliability stats.
been doing this for 5 years with email, I really do know it matters.
lusers are idiots.  management won't allow bofh's anymore, so, you allow 
them to click a useless button.
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008

This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110210/cf59d87b/attachment.html>

More information about the Snort-users mailing list