Snort mailing list archives
Re: Reliability of signatures
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 04 Feb 2011 19:34:58 -0500
On 2/4/2011 09:50, Martin Holste wrote:
For instance, the signature "CHAT MSN messenger http link transmission attempt" is classified as Trojan activity. Sure, links in an MSN message can point to malware, but I hardly think that every MSN message with a link in it should be classified as "Trojan activity." This is not good intel.
agreed which is why i questioned, on another list, the verbiage used in the snort MSG and classification portion of the rules... in the case that i questioned, the priority was the same for the classification that fit better to the rules... the "relaxed" MSG and classification text would not raise hackles as much as they currently do... the case in question was much the same as you depict... some traffic that fit a certain rule was classed as "trojan activity" when it was not and only matched the rule in question... while i agree that the tags can help in these cases, i'd much rather see the classifications of rules better conform to what they are truly detecting... an example is RBN rules... not all traffic from RBN related addresses is trojan or bad traffic... reclassifying those rules to indicate /possible/ bad traffic is better than what is currently in place... the next question is if this is going to be done... i don't specifically recall any responses to my post in that other thread on this topic, though :? ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Reliability of signatures, (continued)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Crusty Saint (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Crusty Saint (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Crusty Saint (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)