Re: Reliability of signatures

[Matt Olney <molney () sourcefire com>]

To some extent the metadata field addresses some of that.  If we put a rule
only in "security-ips", then there is something that gives us pause to
putting it in the more general "balanced-ips".  This can be a number of
issues, including false-positive, performance or simply a small footprint of
affected users.

We have talked about expanding our use of the metadata field to include a
wide variety of rule tags, including reliability.  This is not a short-term
effort, but it is on our radar.

Matt

On Fri, Feb 4, 2011 at 9:50 AM, Martin Holste <mcholste () gmail com> wrote:

> > The snort signatures have a priority associated with them, either in the
> > rule itself, or in the classification. Is there anywhere that the
> > reliability (ie. the chance of it not reporting a false positive) of the
> > signature is recorded?
>
> No.  There has been a lot of discussion regarding whether or not
> something like that would be helpful.  I think the short answer is
> that environments and preferences vary too widely to be able to
> effectively communicate a signature's fidelity.  I would also argue
> for those same reasons priority should not be suggested either and it
> should be deprecated.
>
> I ignore both priority and classification for signatures as they are
> terribly broken right now.  For instance, the signature "CHAT MSN
> messenger http link transmission attempt" is classified as Trojan
> activity.  Sure, links in an MSN message can point to malware, but I
> hardly think that every MSN message with a link in it should be
> classified as "Trojan activity."  This is not good intel.
>
> An effort is underway to redo the classification system, which is very
> welcome.  However, I believe the new classification system will be
> almost as unhelpful because though more specific, it only allows for a
> signature to be placed in one category.  I favor a tagging system in
> which a signature can have many tags applied to it for a comprehensive
> representation of the signature author's intent.
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users