Re: Reliability of signatures

[Martin Holste <mcholste () gmail com>]

> 1) Isn't accuracy of rules in part reliant on how well the sensor is tuned?
Yep, each up/down vote would equal one grain of salt.

> 2) Isn't the determination of a legit hit vs. FP partially dependent
> on the analysis skill?
Yep, see above.

> 3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev
> bumps are often done to fix FP issues.
Yep, I would actually go with G:S:R along with the SHA1 of the signature.

> 4) Wouldn't an open submission process/tool be vulnerable to malicious
> bad data submissions?
Yep.  You would have to put in a threshold for submissions of some
sort and see how it goes.  Worst-case, a captcha.

In my mind, this only works if each up/down vote is a manual action
done during the course of an investigation.  Basically, I want to know
what signatures were helpful to other IR teams during their
investigations.  I want to be sure those rules are included in my
ruleset.  Obviously, all submissions would have to be anonymous.  IP's
would be nice, but then there's a chance someone could mess up src/dst
IP and accidentally de-anonymize themselves.

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users