Re: Reliability of signatures

[Matthew Jonkman <jonkman () emergingthreatspro com>]

BTW: The spec we used in sidreporter. Works well, simple, easy to generate:

http://doc.emergingthreats.net/bin/view/Main/SidReporter

Open for use in whatever project whoever sets up.

Matt

On Feb 4, 2011, at 12:06 PM, Matthew Jonkman wrote:

> I agree on the vendor being the keeper of the data. And I'd volunteer ET for the task, but any resources we'd muster 
> would be off the proceeds of ET Pro sales, so we're in the same category really.
>
> We started something like that a while ago in sidreporter, but didn't get it far off the ground unfortunately.
>
> If we do this in another venue we also need to do something to correlate sids, because the ET Pro reports would be 
> for similar vulns or issues, but different sids. So we'd really need to either correlate (major PITA), or run side by 
> side separate databases. 
>
> Then there are the issues of not disclosing sensitive data in automated reporting. I think we've done a good job 
> there in sidreporter, but it's still a concern for most companies. 
>
> So a few thoughts:
>
> A joint Sourcefire-ET Pro supported database run by community members?
>
> OISF maybe take it in as a project and volunteers run it? (could secure gov't funding for something like that in the 
> long term if it were in a non-profit)
>
> ET and SF both stand up their own? But maybe share a reporting mechanism?
>
> I dunno. Lots of possibilities, and a lot of very good data we could generate in a mostly automated way for signature 
> confidence...
>
> Thoughts?
>
> Matt
>
>
>
> On Feb 4, 2011, at 11:17 AM, Joel Esler wrote:
>
> > On Fri, Feb 4, 2011 at 10:51 AM, Martin Holste <mcholste () gmail com> wrote:
> > > > I like that idea too.  It'd make a lot of sense to integrate it into
> > > > snort.org - in fact there's probably a lot of data about Snort
> > > > detection performance, config options and rule quality we could put up
> > > > there.  Communication favors the defender...
> >
> > Thanks, Marty.  I'm all for free resources, but that would make this
> > project vendor-sponsored, which makes my spider senses tingle...  I'd
> > feel better if a non-profit hosted, or at least a company that doesn't
> > sell signatures.  Otherwise, it'd be like Starbucks sponsoring a
> > coffee rating site.  Up-vote for Trenta!
> >
> > Vendor sponsored projects are okay I think, especially since we have the resources to donate to a project that is 
> > going to make everyone's detection better.
> >
> >  
> > > I would think it would need to have some kind of automatic reporting method,
> > > perhaps with manual commenting?
> > > J
> >
> > What do you mean by automatic?  I'd think we'd want this to remain
> > manual, but as integrated into the analysis process as possible via
> > whatever GUI you're using.  For SF products, a button built into the
> > GUI, and maybe something to click on in Snorby, et al.?  And, of
> > course, there would need to be the manual vote page on the site.  A
> > basic JSON API to receive submissions would do fine on the web side.
> >
> > Actually, I could probably code this up this weekend if someone
> > volunteers a neutral hosting space.  Will Jeff Atwood sue if we use
> > snortoverflow.com?
> >
> >
> > What I was thinking was having a reputation (hit) count score from gid:sid and maybe from the IP involved, then 
> > allow people to comment on said results manually.
> >
> > Using that information could build a high or low reputation score based upon actual results, allowing the ruleset to 
> > be better tuned and formed, allowing reduction of false positives or false negatives.
> >
> > Just thinking outloud (which is usually a bad habit)
> >
> > Joel
> > ------------------------------------------------------------------------------
> > The modern datacenter depends on network connectivity to access resources
> > and provide services. The best practices for maximizing a physical server's
> > connectivity to a physical network are well understood - see how these
> > rules translate into the virtual world? 
> > http://p.sf.net/sfu/oracle-sfdevnlfb_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world? 
> http://p.sf.net/sfu/oracle-sfdevnlfb_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users