Snort mailing list archives

Re: Reliability of signatures

From: Martin Holste <mcholste () gmail com>
Date: Fri, 4 Feb 2011 08:50:48 -0600

The snort signatures have a priority associated with them, either in the
rule itself, or in the classification. Is there anywhere that the
reliability (ie. the chance of it not reporting a false positive) of the
signature is recorded?


No.  There has been a lot of discussion regarding whether or not
something like that would be helpful.  I think the short answer is
that environments and preferences vary too widely to be able to
effectively communicate a signature's fidelity.  I would also argue
for those same reasons priority should not be suggested either and it
should be deprecated.

I ignore both priority and classification for signatures as they are
terribly broken right now.  For instance, the signature "CHAT MSN
messenger http link transmission attempt" is classified as Trojan
activity.  Sure, links in an MSN message can point to malware, but I
hardly think that every MSN message with a link in it should be
classified as "Trojan activity."  This is not good intel.

An effort is underway to redo the classification system, which is very
welcome.  However, I believe the new classification system will be
almost as unhelpful because though more specific, it only allows for a
signature to be placed in one category.  I favor a tagging system in
which a signature can have many tags applied to it for a comprehensive
representation of the signature author's intent.

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Increase in ASN.1 alerts Joe Gedeon (Feb 02)
- Re: Increase in ASN.1 alerts Michael Scheidell (Feb 02)
- Reliability of signatures Fraser, Hugh (Feb 04)
  - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Matt Olney (Feb 04)
    - Re: Reliability of signatures Jim Hranicky (Feb 04)
    - Re: Reliability of signatures Matt Olney (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Jim Hranicky (Feb 04)
    - Re: Reliability of signatures Martin Roesch (Feb 04)
    - Re: Reliability of signatures Joel Esler (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Michael Scheidell (Feb 04)
    - Re: Reliability of signatures Joel Esler (Feb 04)

(Thread continues...)