Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reliability of signatures

From: beenph <beenph () gmail com>
Date: Fri, 4 Feb 2011 13:33:07 -0500
Honestly, i think that if you provide a service that is based on free
ressource or paid subscription you should
give your self a process to filter the detection input you receive  and be able
to adapt it for your setup.


If your analyst can't do it there is probably an in your process somewhere.


On Fri, Feb 4, 2011 at 12:56 PM, Martin Holste <mcholste () gmail com> wrote:

Actually this discussion is helping.  It's letting us know what you are
interested in.



Ok, cool.

So, here's my feedback to SF/ET regarding what will help, and I'll try
to summarize the above comments to be sure I have understood them:

1. Up/down vote per gid:sid:rev my analysts can click on at the tail
end of an investigation to indicate that something's been helpful with
a way to make a note of how it was helpful.
2. Dshield/sidreporter-style automated submissions so that you guys
can see the sigs that are flagging on all kinds of FP's right off the
bat and also to get a cross-section of what IP's are flagging alerts.
3. Up/down vote for category confidence on a given gid:sid:rev.
And, I'd personally add a fourth that I feel is very important:
4. Tag suggestion for a gid:sid:rev with corresponding up/down vote
for confidence.

I personally want to see 1 and 4 implemented ASAP, and they can be
started without retrofitting to all existing signatures.  Each datum
contributed is value added.

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world?
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: