Re: [Emerging-Sigs] Reliability of signatures

[Matthew Jonkman <jonkman () emergingthreatspro com>]

On Feb 10, 2011, at 9:53 AM, Matt Olney wrote:
> I think the idea of a community report on FPs is very useful.  I would think that it would be useful for some 
> organizations to have it hosted at Sourcefire or another entity that can be trusted to secure pcap submissions if the 
> submitter wants to provide the data to a trusted source.  Maybe Joel and Jonkman can work something out for 
> information sharing.

Agreed, and I suspect we can work something out. I think if we made a real legal entity (a 501c3 non profit maybe), 
then that entity could legally enter into non-dosclosure agreements with companies that (rightfully so) need a legal 
assurance that the data and stats they submit would be protected. 

Will have to put some thought into it...

Matt


> Just some thoughts, back to Razorback dev.
>
> Matt
>
> On Thu, Feb 10, 2011 at 8:30 AM, Michael Stone <mstone+snort () mathom us> wrote:
> On Fri, Feb 04, 2011 at 02:01:05PM -0500, Matthew Jonkman wrote:
> > I agree on the difference between just logging hits and having true FP and TP ratings. But even a false positive can 
> > be different on the same packet in different organizations. Many folks mark a hit a false positive because it's just 
> > not of interest, vs nt hitting on what it's supposed to be looking for.
>
> Well, even that distincion isn't so clear. Does "what it's supposed to
> be looking for" mean "the string the signature was written against" or
> "the malware the signature was written against"?
>
> Mike Stone
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users