Snort mailing list archives
Re: Reliability of signatures
From: Matt Olney <molney () sourcefire com>
Date: Fri, 4 Feb 2011 09:58:28 -0500
To some extent the metadata field addresses some of that. If we put a rule only in "security-ips", then there is something that gives us pause to putting it in the more general "balanced-ips". This can be a number of issues, including false-positive, performance or simply a small footprint of affected users. We have talked about expanding our use of the metadata field to include a wide variety of rule tags, including reliability. This is not a short-term effort, but it is on our radar. Matt On Fri, Feb 4, 2011 at 9:50 AM, Martin Holste <mcholste () gmail com> wrote:
The snort signatures have a priority associated with them, either in the rule itself, or in the classification. Is there anywhere that the reliability (ie. the chance of it not reporting a false positive) of the signature is recorded?No. There has been a lot of discussion regarding whether or not something like that would be helpful. I think the short answer is that environments and preferences vary too widely to be able to effectively communicate a signature's fidelity. I would also argue for those same reasons priority should not be suggested either and it should be deprecated. I ignore both priority and classification for signatures as they are terribly broken right now. For instance, the signature "CHAT MSN messenger http link transmission attempt" is classified as Trojan activity. Sure, links in an MSN message can point to malware, but I hardly think that every MSN message with a link in it should be classified as "Trojan activity." This is not good intel. An effort is underway to redo the classification system, which is very welcome. However, I believe the new classification system will be almost as unhelpful because though more specific, it only allows for a signature to be placed in one category. I favor a tagging system in which a signature can have many tags applied to it for a comprehensive representation of the signature author's intent. ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Increase in ASN.1 alerts Joe Gedeon (Feb 02)
- Re: Increase in ASN.1 alerts Michael Scheidell (Feb 02)
- Reliability of signatures Fraser, Hugh (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Matt Olney (Feb 04)
- Re: Reliability of signatures Jim Hranicky (Feb 04)
- Re: Reliability of signatures Matt Olney (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Jim Hranicky (Feb 04)
- Re: Reliability of signatures Martin Roesch (Feb 04)
- Re: Reliability of signatures Joel Esler (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Joel Esler (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)