Snort mailing list archives
Re: Snort rules false positive stats
From: Matt Jonkman <jonkman () jonkmans com>
Date: Fri, 11 Sep 2009 13:16:35 -0400
I've talked to them about that, and the Base folks. Never followed through on it though. I will. We can take those reports via sidreporter, we already have a field in the report to say user-reported FP. Matt CunningPike wrote:
I have often thought it would be great if sguil had a category for false positives from which a report could then be generated... CP On Sun, Sep 6, 2009 at 10:34 AM, Matt Jonkman <jonkman () jonkmans com <mailto:jonkman () jonkmans com>> wrote: A human has to define a false positive in most cases, so keeping stats on them is pretty man-hours intensive. Thus not generally compiled. One thing we're doing at emerging threats along that line is SidReporter. We're collecting stats anonymously and automated on the rules that are hitting. Several goals: rule confidence. be able to say this rule is hitting frequently in many places and appears to be valuable. Trending, we're seeing a huge increase in an old malware strain, scanning for certain services, etc. Finally rule obsolescence. Especially in malware and trojan stuff. If we've not seen a hit on a particular rule for an old strain in say 6 months we can then look at obsoleting the rule. More on the tool is here: http://doc.emergingthreats.net/bin/view/Main/SidReporter Stats are anonymous and pgp encrypted in transit. Please consider reporting stats to the tool. We need to increase the sample base before we begin publishing results and tuning the ET ruleset. Matt snort user wrote: > Greetings. > > Does anyone maintain statistics of false positive rates for the snort rules, > i.e. VRT or community or bleeding edge versions? > > Any information on these lines is much appreciated. > > Thanks ! > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort rules false positive stats CunningPike (Sep 09)
- Re: Snort rules false positive stats Matt Jonkman (Sep 11)