Re: Reliability of signatures

[Crusty Saint <saintcrusty () gmail com>]

ehrm ... i'm not quite sure where this leads .... obviously .... so here i
go anyway

Being able to separate between protections that have and don't have known
false-rates directly from log entries (daq) is in itself practical, imho it
permits to work with a 'sketch or picture' for that specific environment
which is easier to adapt to.

Correct me if i'm wrong .... known FP/FN sid's vs known sid's with neither
FP/FN could allready by categorized as a first level of confidence.

Actually it does 'feel' that multiple levels-of-confidence could be better
then a single confidence level.

For now i only see Three  ( draftish )

1) FP/FN confidence level (Y/N)
2) Personal Confidence level ( Categories )
3) Community Confidence level ( Percentage )


Checkpoint's confidence levels are a nice way of doing things but then
again, who wants a sid that is 50% correct ? Better then nothing, agreed,
but when would one have to care for that percentage of doubt ? Which is a
big plus for snort as their sid's are open, one could actually verify what
is checked for.




2011/2/4 Michael Scheidell <michael.scheidell () secnap com>

>  On 2/4/11 11:12 AM, Crusty Saint wrote:
>
> For now a flag for false-pos and one for false-neg would be nice to have.
>
> a SORTA OF A BAYSIAN sorta thing?
>
> fp's go to 'ham', not fp's go to 'spam'? :-)
>
> you poll the value (CF) confidence factor .
>
>
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> > *| *SECNAP Network Security Corporation
>
>    - Certified SNORT Integrator
>    - 2008-9 Hot Company Award Winner, World Executive Alliance
>    - Five-Star Partner Program 2009, VARBusiness
>    - Best in Email Security,2010: Network Products Guide
>    - King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
> ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users