Snort mailing list archives
Re: Reliability of signatures
From: beenph <beenph () gmail com>
Date: Fri, 4 Feb 2011 14:03:35 -0500
On Fri, Feb 4, 2011 at 1:53 PM, Jason Wallace <jason.r.wallace () gmail com> wrote:
threshold/event_filter statements will fudge that up too... On Fri, Feb 4, 2011 at 1:45 PM, Martin Holste <mcholste () gmail com> wrote:Personally, I'd like to know what the most important (as measured, perhaps, as the most hits)Ok, hang on--I'd actually say that you can get a pretty good idea of the most important signatures by sorting them in ascending order by hits. The higher the number of hits, the greater probability that each hit is an FP and the signature isn't helpful. Important caveats would be for the sigs that aren't alerting on "bad" traffic, but traffic that is usually good unless it's from a certain IP address (JAR files, exe files, etc.) or SCAN signatures. That nuance actually makes this kind of hard to do in a helpful way. It's for this reason that I want the manual submissions, not based on logs.
I think there's an in YOUR somewhere.
A typo, shit happens, english is not my first language. This aside if you can't create multiple rule set instances for the same traffic and make clear distinction on rule importances for each instance, you wont be able to acheive somethig valuable at the end. If you are still managing your clients rule with something like pullthepork or by hand you might also have an issue. Opensource UI have been lacking for years on "sensor" management, rule context like thresholding and suppression (for individual instance or multiple instances or even system wide). Some of em even ignore revision. All of this point out to the usage you make of the public available data and or even subscribed data. All the changes to a submission system will still be context relevant and might not apply to you and you will end up having people who will not try to understand what they actually see but will basicly rely on that to apply automatic rules tunning and the problem will still be there for the "unknown" proportion of people who do no take time to tune and manage their rule set. -elz ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Reliability of signatures, (continued)
- Re: [Emerging-Sigs] Reliability of signatures Crusty Saint (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures List Subscriptions (Feb 10)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures beenph (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Crusty Saint (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Michael Scheidell (Feb 04)