Snort mailing list archives
Re: Reliability of signatures
From: Martin Holste <mcholste () gmail com>
Date: Fri, 4 Feb 2011 10:51:53 -0600
1) Isn't accuracy of rules in part reliant on how well the sensor is tuned?
Yep, each up/down vote would equal one grain of salt.
2) Isn't the determination of a legit hit vs. FP partially dependent on the analysis skill?
Yep, see above.
3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev bumps are often done to fix FP issues.
Yep, I would actually go with G:S:R along with the SHA1 of the signature.
4) Wouldn't an open submission process/tool be vulnerable to malicious bad data submissions?
Yep. You would have to put in a threshold for submissions of some sort and see how it goes. Worst-case, a captcha. In my mind, this only works if each up/down vote is a manual action done during the course of an investigation. Basically, I want to know what signatures were helpful to other IR teams during their investigations. I want to be sure those rules are included in my ruleset. Obviously, all submissions would have to be anonymous. IP's would be nice, but then there's a chance someone could mess up src/dst IP and accidentally de-anonymize themselves. ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Reliability of signatures, (continued)
- Re: [Emerging-Sigs] Reliability of signatures Joel Esler (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Crusty Saint (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures List Subscriptions (Feb 10)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures beenph (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Crusty Saint (Feb 04)