Snort mailing list archives
Re: Reliability of signatures
From: Matt Olney <molney () sourcefire com>
Date: Fri, 4 Feb 2011 10:12:49 -0500
For VRT rules you can report FPs here: http://www.snort.org/snort-rules/submit-a-false-positive <http://www.snort.org/snort-rules/submit-a-false-positive>or you can drop an email to research () sourcefire com Matt On Fri, Feb 4, 2011 at 10:03 AM, Jim Hranicky <jfh () ufl edu> wrote:
On Fri, 4 Feb 2011 08:50:48 -0600 Martin Holste <mcholste () gmail com> wrote:The snort signatures have a priority associated with them, either intherule itself, or in the classification. Is there anywhere that the reliability (ie. the chance of it not reporting a false positive) ofthesignature is recorded?No. There has been a lot of discussion regarding whether or not something like that would be helpful. I think the short answer is that environments and preferences vary too widely to be able to effectively communicate a signature's fidelity. I would also argue for those same reasons priority should not be suggested either and it should be deprecated.Seems like there'd almost need to be a central place that various entities could report their findings. I know we've got rules that we rely on heavily and work very well for us, but other than mailing lists there's no place to report our findings. Anyone want to volunteer ? Sounds trivial :-p -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Increase in ASN.1 alerts Joe Gedeon (Feb 02)
- Re: Increase in ASN.1 alerts Michael Scheidell (Feb 02)
- Reliability of signatures Fraser, Hugh (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Matt Olney (Feb 04)
- Re: Reliability of signatures Jim Hranicky (Feb 04)
- Re: Reliability of signatures Matt Olney (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Jim Hranicky (Feb 04)
- Re: Reliability of signatures Martin Roesch (Feb 04)
- Re: Reliability of signatures Joel Esler (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Joel Esler (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Nigel Houghton (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)