Snort mailing list archives

Re: Reliability of signatures

From: Michael Scheidell <michael.scheidell () secnap com>
Date: Fri, 4 Feb 2011 10:36:25 -0500

On 2/4/11 10:23 AM, Martin Roesch wrote:

I like that idea too.  It'd make a lot of sense to integrate it into
snort.org - in fact there's probably a lot of data about Snort
detection performance, config options and rule quality we could put up
there.  Communication favors the defender...

Marty

(greets marty, long time no hear..)

We have thought of something like this also.

some type of 'CF' (confidence factor), users can enable/disable(oinkmaster,pulled pork, snort.conf module) based on CF and company policy.

Example: any rule with a CF of 100 (10?) how granular do you want toget?) would mean that 100% of the time, this rule does NOT FP!

if an inline/block/drop/ (fwsam) rule, it would always block, if indetection mode, always alert.


CF rule of 1 (1%) would almost NEVER block;/alert.

you could have different policies for block, alert.

say, maybe, block on everything with a CF of >90%, alert on anythingwith a CF > 50%.





--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best in Email Security,2010: Network Products Guide
   * King of Spam Filters, SC Magazine 2008


______________________________________________________________________

This email has been scanned and certified safe by SpammerTrap(r).For Information please see http://www.secnap.com/products/spammertrap/

______________________________________________________________________

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Reliability of signatures, (continued)
- - - Re: Reliability of signatures beenph (Feb 04)
    - Re: Reliability of signatures waldo kitty (Feb 04)
    - Re: Reliability of signatures waldo kitty (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Matthew Jonkman (Feb 04)
    - Re: Reliability of signatures Crusty Saint (Feb 04)
    - Re: Reliability of signatures Matthew Jonkman (Feb 04)
    - Re: Reliability of signatures Fraser, Hugh (Feb 07)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Fraser, Hugh (Feb 07)
    - Re: Reliability of signatures Michael Scheidell (Feb 04)
    - Re: Reliability of signatures Crusty Saint (Feb 04)
    - Re: Reliability of signatures Michael Scheidell (Feb 04)
    - Re: Reliability of signatures Crusty Saint (Feb 04)
    - Re: Reliability of signatures waldo kitty (Feb 04)
    - Re: Reliability of signatures Fraser, Hugh (Feb 07)