Re: Snort rules false positive stats

[CunningPike <cunningpike () gmail com>]

I have often thought it would be great if sguil had a category for false
positives from which a report could then be generated...

CP

On Sun, Sep 6, 2009 at 10:34 AM, Matt Jonkman <jonkman () jonkmans com> wrote:

> A human has to define a false positive in most cases, so keeping stats
> on them is pretty man-hours intensive. Thus not generally compiled.
>
> One thing we're doing at emerging threats along that line is
> SidReporter. We're collecting stats anonymously and automated on the
> rules that are hitting. Several goals: rule confidence. be able to say
> this rule is hitting frequently in many places and appears to be
> valuable. Trending, we're seeing a huge increase in an old malware
> strain, scanning for certain services, etc. Finally rule obsolescence.
> Especially in malware and trojan stuff. If we've not seen a hit on a
> particular rule for an old strain in say 6 months we can then look at
> obsoleting the rule.
>
> More on the tool is here:
> http://doc.emergingthreats.net/bin/view/Main/SidReporter
>
> Stats are anonymous and pgp encrypted in transit. Please consider
> reporting stats to the tool. We need to increase the sample base before
> we begin publishing results and tuning the ET ruleset.
>
> Matt
>
> snort user wrote:
> > Greetings.
> >
> > Does anyone maintain statistics of false positive rates for the snort
> rules,
> > i.e. VRT or community or bleeding edge versions?
> >
> > Any information on these lines is much appreciated.
> >
> > Thanks !
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users