Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reliability of signatures

From: "Fraser, Hugh" <hugh.fraser () arcelormittal com>
Date: Fri, 4 Feb 2011 11:08:13 -0500
I count about 30,000 signatures in the feed I pull down. That's a big effort to categorize. So perhaps an initial pass 
using the classifications might give a reasonable starting point. I was thinking that further refinement effort could 
be driven by the signatures that are most active at any time, like the way SANS directs their efforts using dshield to 
identify what's most important. Over time, the most active signatures receive the most attention.

-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com] 
Sent: Friday, February 04, 2011 10:52 AM
To: Joel Esler
Cc: Martin Roesch; snort-users () lists sourceforge net; Fraser, Hugh
Subject: Re: [Snort-users] Reliability of signatures


I like that idea too.  It'd make a lot of sense to integrate it into 
snort.org - in fact there's probably a lot of data about Snort 
detection performance, config options and rule quality we could put 
up there.  Communication favors the defender...



Thanks, Marty.  I'm all for free resources, but that would make this project vendor-sponsored, which makes my spider 
senses tingle...  I'd feel better if a non-profit hosted, or at least a company that doesn't sell signatures.  
Otherwise, it'd be like Starbucks sponsoring a coffee rating site.  Up-vote for Trenta!



I would think it would need to have some kind of automatic reporting 
method, perhaps with manual commenting?
J


What do you mean by automatic?  I'd think we'd want this to remain manual, but as integrated into the analysis process 
as possible via whatever GUI you're using.  For SF products, a button built into the GUI, and maybe something to click 
on in Snorby, et al.?  And, of course, there would need to be the manual vote page on the site.  A basic JSON API to 
receive submissions would do fine on the web side.

Actually, I could probably code this up this weekend if someone volunteers a neutral hosting space.  Will Jeff Atwood 
sue if we use snortoverflow.com?



------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: