Snort mailing list archives

Re: Reliability of signatures

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Feb 2011 11:17:22 -0500

On Fri, Feb 4, 2011 at 10:51 AM, Martin Holste <mcholste () gmail com> wrote:

I like that idea too.  It'd make a lot of sense to integrate it into
snort.org - in fact there's probably a lot of data about Snort
detection performance, config options and rule quality we could put up
there.  Communication favors the defender...


Thanks, Marty.  I'm all for free resources, but that would make this
project vendor-sponsored, which makes my spider senses tingle...  I'd
feel better if a non-profit hosted, or at least a company that doesn't
sell signatures.  Otherwise, it'd be like Starbucks sponsoring a
coffee rating site.  Up-vote for Trenta!

Vendor sponsored projects are okay I think, especially since we have the

resources to donate to a project that is going to make everyone's detection
better.

I would think it would need to have some kind of automatic reporting

method,

perhaps with manual commenting?
J


What do you mean by automatic?  I'd think we'd want this to remain
manual, but as integrated into the analysis process as possible via
whatever GUI you're using.  For SF products, a button built into the
GUI, and maybe something to click on in Snorby, et al.?  And, of
course, there would need to be the manual vote page on the site.  A
basic JSON API to receive submissions would do fine on the web side.

Actually, I could probably code this up this weekend if someone
volunteers a neutral hosting space.  Will Jeff Atwood sue if we use
snortoverflow.com?



What I was thinking was having a reputation (hit) count score from gid:sid
and maybe from the IP involved, then allow people to comment on said results
manually.

Using that information could build a high or low reputation score based upon
actual results, allowing the ruleset to be better tuned and formed, allowing
reduction of false positives or false negatives.

Just thinking outloud (which is usually a bad habit)

Joel

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Reliability of signatures, (continued)
- - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Matt Olney (Feb 04)
    - Re: Reliability of signatures Jim Hranicky (Feb 04)
    - Re: Reliability of signatures Matt Olney (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Jim Hranicky (Feb 04)
    - Re: Reliability of signatures Martin Roesch (Feb 04)
    - Re: Reliability of signatures Joel Esler (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Michael Scheidell (Feb 04)
    - Re: Reliability of signatures Joel Esler (Feb 04)
    - Re: Reliability of signatures Michael Scheidell (Feb 04)
    - Re: Reliability of signatures Nigel Houghton (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Nigel Houghton (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Nigel Houghton (Feb 04)
    - Re: Reliability of signatures Joel Esler (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures beenph (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)

(Thread continues...)