Re: Snort rules false positive stats

[Matt Jonkman <jonkman () jonkmans com>]

I've talked to them about that, and the Base folks. Never followed
through on it though. I will.

We can take those reports via sidreporter, we already have a field in
the report to say user-reported FP.

Matt

CunningPike wrote:
> I have often thought it would be great if sguil had a category for false
> positives from which a report could then be generated...
>
> CP
>
> On Sun, Sep 6, 2009 at 10:34 AM, Matt Jonkman <jonkman () jonkmans com
> <mailto:jonkman () jonkmans com>> wrote:
>
>     A human has to define a false positive in most cases, so keeping stats
>     on them is pretty man-hours intensive. Thus not generally compiled.
>
>     One thing we're doing at emerging threats along that line is
>     SidReporter. We're collecting stats anonymously and automated on the
>     rules that are hitting. Several goals: rule confidence. be able to say
>     this rule is hitting frequently in many places and appears to be
>     valuable. Trending, we're seeing a huge increase in an old malware
>     strain, scanning for certain services, etc. Finally rule obsolescence.
>     Especially in malware and trojan stuff. If we've not seen a hit on a
>     particular rule for an old strain in say 6 months we can then look at
>     obsoleting the rule.
>
>     More on the tool is here:
>     http://doc.emergingthreats.net/bin/view/Main/SidReporter
>
>     Stats are anonymous and pgp encrypted in transit. Please consider
>     reporting stats to the tool. We need to increase the sample base before
>     we begin publishing results and tuning the ET ruleset.
>
>     Matt
>
>     snort user wrote:
>     > Greetings.
>     >
>     > Does anyone maintain statistics of false positive rates for the
>     snort rules,
>     > i.e. VRT or community or bleeding edge versions?
>     >
>     > Any information on these lines is much appreciated.
>     >
>     > Thanks !
>     >
>     >
>     ------------------------------------------------------------------------------
>     > Let Crystal Reports handle the reporting - Free Crystal Reports
>     2008 30-Day
>     > trial. Simplify your report design, integration and deployment -
>     and focus on
>     > what you do best, core application coding. Discover what's new with
>     > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>     > _______________________________________________
>     > Snort-users mailing list
>     > Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     > Go to this URL to change user options or unsubscribe:
>     > https://lists.sourceforge.net/lists/listinfo/snort-users
>     > Snort-users list archive:
>     > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Open Information Security Foundation (OISF)
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     http://www.openinformationsecurityfoundation.org
>     --------------------------------------------
>
>     PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>     ------------------------------------------------------------------------------
>     Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>     30-Day
>     trial. Simplify your report design, integration and deployment - and
>     focus on
>     what you do best, core application coding. Discover what's new with
>     Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users
>     <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
>     list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with 
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users