Re: Reliability of signatures

[Martin Holste <mcholste () gmail com>]

> I agree on the difference between just logging hits and having true FP and TP ratings. But even a false positive can 
> be different on the same packet in different organizations. Many folks mark a hit a false positive because it's just 
> not of interest, vs nt hitting on what it's supposed to be looking for.

Right, which is why this is voting.  If someone goes through the
effort of marking a sig a certain way, it means something to them, and
I'm interested in that.  I'm sure some people will accidentally mark a
sig a false positive because they didn't investigate it thoroughly.
I'm betting that there are more instances of people correctly
evaluating the signature than mistakes.  If you think that's wrong and
too naive, then we should probably scrap the whole idea.

> I don't see real good ways to make that distinction en mass, I certainly wouldn't want to have to mark events that 
> way in addition to the usual handling of events.

Nobody "wants" to do this, but there is an incredible amount of value
for a small amount of community work.

> I think there is definitely value in just tracking raw hits. Few things off the top of my head:

Agree 100%.  I want to do both auto and manual reporting.

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users