[Snort-users] [Emerging-Sigs] Reliability of signatures

Seth Hall seth at ...14966...
Fri Feb 11 11:37:19 EST 2011


On Feb 11, 2011, at 9:59 AM, Joel Esler wrote:

> On Feb 11, 2011, at 9:55 AM, Seth Hall wrote:
>> 
>> but if that IP address logs into some local box over SSH that would be worth looking into.
> 
> Yes, but that's not SPAM.

Sure, it's not spam but the ultimate detection in this example case would be driven from understanding unwanted activity coming from an IP address and reapplying that information in the future to make a different decision than would have been made otherwise.

> I understand your point there, but SPAM (IMO) should be dealt with at the gateway antivirus/email server/spam filter level (in our case, clamav for instance.)  

I'm not saying that IDS has any role is dealing with the spam, but I think it's supremely worthwhile for it to have a notion of what spam looks like and how to identify spam-like activity.

  .Seth



More information about the Snort-users mailing list