Re: Reliability of signatures

[Martin Holste <mcholste () gmail com>]

> I count about 30,000 signatures in the feed I pull down. That's a big effort to categorize. So perhaps an initial 
> pass using the classifications might give a reasonable starting point.

If all sigs start neutral, then each sig can be categorized as people
get around to it.  It seems like a daunting task, but there is a
linear benefit to each signature categorized/rated, so every little
bit helps.

> I was thinking that further refinement effort could be driven by the signatures that are most active at any time, like 
> the way SANS directs their efforts using dshield to identify what's most important. Over time, the most active 
> signatures receive the most attention.

That could work, but I wonder if enough people use the default
configuration that it would overpower folks who are tuning.  Might be
worth a shot, though.

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users