Snort mailing list archives
Re: Reliability of signatures
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 4 Feb 2011 11:38:04 -0500
Maybe I'm missing something here that everyone else sees, but I don't see how this could produce any form of reliable data. 1) Isn't accuracy of rules in part reliant on how well the sensor is tuned? 2) Isn't the determination of a legit hit vs. FP partially dependent on the analysis skill? 3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev bumps are often done to fix FP issues. 4) Wouldn't an open submission process/tool be vulnerable to malicious bad data submissions? Thx, Wally On Fri, Feb 4, 2011 at 11:17 AM, Joel Esler <jesler () sourcefire com> wrote:
On Fri, Feb 4, 2011 at 10:51 AM, Martin Holste <mcholste () gmail com> wrote:I like that idea too. It'd make a lot of sense to integrate it into snort.org - in fact there's probably a lot of data about Snort detection performance, config options and rule quality we could put up there. Communication favors the defender...Thanks, Marty. I'm all for free resources, but that would make this project vendor-sponsored, which makes my spider senses tingle... I'd feel better if a non-profit hosted, or at least a company that doesn't sell signatures. Otherwise, it'd be like Starbucks sponsoring a coffee rating site. Up-vote for Trenta!Vendor sponsored projects are okay I think, especially since we have the resources to donate to a project that is going to make everyone's detection better.I would think it would need to have some kind of automatic reporting method, perhaps with manual commenting? JWhat do you mean by automatic? I'd think we'd want this to remain manual, but as integrated into the analysis process as possible via whatever GUI you're using. For SF products, a button built into the GUI, and maybe something to click on in Snorby, et al.? And, of course, there would need to be the manual vote page on the site. A basic JSON API to receive submissions would do fine on the web side. Actually, I could probably code this up this weekend if someone volunteers a neutral hosting space. Will Jeff Atwood sue if we use snortoverflow.com?What I was thinking was having a reputation (hit) count score from gid:sid and maybe from the IP involved, then allow people to comment on said results manually. Using that information could build a high or low reputation score based upon actual results, allowing the ruleset to be better tuned and formed, allowing reduction of false positives or false negatives. Just thinking outloud (which is usually a bad habit) Joel ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Reliability of signatures, (continued)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Joel Esler (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Crusty Saint (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures List Subscriptions (Feb 10)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures beenph (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)