[Snort-users] [Emerging-Sigs] Reliability of signatures

Matthew Jonkman jonkman at ...15020...
Thu Feb 10 10:22:28 EST 2011


On Feb 10, 2011, at 9:53 AM, Matt Olney wrote:
> 
> I think the idea of a community report on FPs is very useful.  I would think that it would be useful for some organizations to have it hosted at Sourcefire or another entity that can be trusted to secure pcap submissions if the submitter wants to provide the data to a trusted source.  Maybe Joel and Jonkman can work something out for information sharing.
> 

Agreed, and I suspect we can work something out. I think if we made a real legal entity (a 501c3 non profit maybe), then that entity could legally enter into non-dosclosure agreements with companies that (rightfully so) need a legal assurance that the data and stats they submit would be protected. 

Will have to put some thought into it...

Matt


> Just some thoughts, back to Razorback dev.
> 
> Matt
> 
> On Thu, Feb 10, 2011 at 8:30 AM, Michael Stone <mstone+snort at ...10946...> wrote:
> On Fri, Feb 04, 2011 at 02:01:05PM -0500, Matthew Jonkman wrote:
> >I agree on the difference between just logging hits and having true FP and TP ratings. But even a false positive can be different on the same packet in different organizations. Many folks mark a hit a false positive because it's just not of interest, vs nt hitting on what it's supposed to be looking for.
> 
> Well, even that distincion isn't so clear. Does "what it's supposed to
> be looking for" mean "the string the signature was written against" or
> "the malware the signature was written against"?
> 
> Mike Stone
> 
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110210/37fd1d76/attachment.html>


More information about the Snort-users mailing list