Snort mailing list archives
Re: Reliability of signatures
From: "Fraser, Hugh" <hugh.fraser () arcelormittal com>
Date: Fri, 4 Feb 2011 13:09:14 -0500
The discussion's got me thinking beyond my original question. What I've asked for represents two views of the signature world; my local view, and the community's view as a whole. Personally, I'd like to know what the most important (as measured, perhaps, as the most hits) 20 or so signatures in the past day, week, and month. I'd like to know trends, since they're often good predictors of what the bad guys are up to, leading to an idea of what I should be watching for. And I'd like to be able to rate each of those top 20 things based upon their impact on my environment. As Martin says, it's a manual thing. To me, this is a simple application that takes the snort log files (or database records) and does some statistical analysis, and a form to present the results and allow me to rate the signatures. I'd then like to be able to submit this information somewhere, and receive daily the same stats aggregated for the entire community, perhaps embedded within my snort signature feed. In the form I use for rating my private part of the world, I could also see results for the community as well, again to give me a heads up about what's happening from a higher altitude. This is what dshield does with network traffic, and I'm sure they have some analysis going on in the background that throttles multiple submissions and tosses statistically insignificant results to ensure that the stats aren't easilly distorted by malicious reports. I'd certainly make reporting this part of our incident response process here, and would likely check the information daily to stay current with emerging trends. Add a link to a web site for a discussion area for the current top hitters, and I'm in heaven. -----Original Message----- From: Martin Holste [mailto:mcholste () gmail com] Sent: Friday, February 04, 2011 11:52 AM To: Jason Wallace Cc: snort-users () lists sourceforge net; Martin Roesch Subject: Re: [Snort-users] Reliability of signatures
1) Isn't accuracy of rules in part reliant on how well the sensor is
tuned?
Yep, each up/down vote would equal one grain of salt.
2) Isn't the determination of a legit hit vs. FP partially dependent on the analysis skill?
Yep, see above.
3) GID:SID wouldn't be enough. You have to use GID:SID:REV since rev bumps are often done to fix FP issues.
Yep, I would actually go with G:S:R along with the SHA1 of the signature.
4) Wouldn't an open submission process/tool be vulnerable to malicious
bad data submissions?
Yep. You would have to put in a threshold for submissions of some sort and see how it goes. Worst-case, a captcha. In my mind, this only works if each up/down vote is a manual action done during the course of an investigation. Basically, I want to know what signatures were helpful to other IR teams during their investigations. I want to be sure those rules are included in my ruleset. Obviously, all submissions would have to be anonymous. IP's would be nice, but then there's a chance someone could mess up src/dst IP and accidentally de-anonymize themselves. ------------------------------------------------------------------------ ------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Reliability of signatures, (continued)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Crusty Saint (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures List Subscriptions (Feb 10)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures beenph (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Crusty Saint (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)