[Snort-users] [Emerging-Sigs] Reliability of signatures
michael.scheidell at ...8144...
Thu Feb 10 10:07:18 EST 2011
On 2/10/11 10:04 AM, Matt Olney wrote:
> And I would argue that "no iis" here isn't a valid FP. The signature
> performed correctly and notified you that a scan attempt was under
> way. It is up to the system admin to correctly
> suppress/disable/modify rules that do not target his network. In our
> view, a FP only occurs when network traffic triggers an alert that is
> specifically NOT traffic that the rule was intended to fire on. The
> rules are application/server agnostic (some wiggle room in this
> comment both currently and in the future) they are solely based on the
> traffic on the wire.
and, again, the point being, you need to allow idiots to mark it a fp in
a way that will not affect reliability stats.
been doing this for 5 years with email, I really do know it matters.
lusers are idiots. management won't allow bofh's anymore, so, you allow
them to click a useless button.
Michael Scheidell, CTO
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users